Analysis
-
max time kernel
76s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 12:03
General
-
Target
60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe
-
Size
4.6MB
-
MD5
d35685275d19eba3a22a46003858b4b0
-
SHA1
196ffdf8fab82a9fe1a268cd6a6897ef331b46bb
-
SHA256
60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063
-
SHA512
5e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf
-
SSDEEP
98304:J6b+fgPSpV+apIEypgOTCqAijHZA65ALrpjiN8:JyBAONp5AijH6AAPpjL
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
eski kamarun
C2
haybensenin3.zapto.org:1604
Mutex
DC_MUTEX-4J5WTK5
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Yf3o5TbGwnLJ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Sets file to hidden 1 TTPs 64 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
UPX packed file 52 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe"C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\60ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063N.exe" +s +h3⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\84C0.tmp\Mt2-Multi.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy root.eix pack /y4⤵
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h4⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\msdcsc.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h6⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"6⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h8⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h8⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h9⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad8⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h10⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"10⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h13⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad12⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h14⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"13⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"14⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad14⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h16⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"15⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h17⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"16⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad16⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h18⤵
- Drops file in System32 directory
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"17⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"18⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad18⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h20⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"19⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"19⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h21⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad20⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h22⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h23⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"22⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad22⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h24⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"23⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h25⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"24⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad24⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h25⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV126⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"25⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"25⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h26⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h27⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"26⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h28⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h29⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad28⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h29⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h30⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"29⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"29⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h30⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h31⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"30⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad30⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h32⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"31⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"31⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h33⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"32⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad32⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h33⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h34⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"33⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h35⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"34⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad34⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h35⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"35⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"35⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h36⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h37⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"36⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad36⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"36⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"37⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"37⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h38⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h39⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"38⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad38⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"38⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h40⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"39⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"39⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h40⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h41⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"40⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad40⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h42⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"41⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"41⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h42⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h43⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"42⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad42⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h43⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h44⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"43⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"43⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h44⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h45⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"44⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad44⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h46⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"45⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h46⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h47⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"46⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad46⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h48⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"47⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"47⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h48⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h49⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"48⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad48⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"48⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h49⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV150⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h50⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"49⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"49⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h50⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h51⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"50⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad50⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"50⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h51⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h52⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"51⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad51⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"51⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h52⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h53⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"52⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad52⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h53⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h54⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"53⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad53⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"53⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h54⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h55⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"54⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad54⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"54⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h55⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h56⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"55⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad55⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"55⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h56⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h57⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"56⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad56⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"56⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h57⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h58⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"57⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad57⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"57⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h58⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h59⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"58⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad58⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"58⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h59⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h60⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"59⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad59⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h60⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h61⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"60⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad60⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"60⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h61⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h62⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"61⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad61⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"61⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h62⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h63⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"62⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad62⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"62⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h63⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h64⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"63⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad63⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"63⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h64⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h65⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"64⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad64⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"64⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h65⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h66⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"65⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad65⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"65⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h66⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h67⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"66⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad66⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"66⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h67⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h68⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"67⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad67⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"67⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h68⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h69⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"68⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\notepad.exenotepad68⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"68⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h69⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h70⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"69⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad69⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"69⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h70⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h71⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"70⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad70⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"70⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h71⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h72⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"71⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad71⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"71⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h72⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h73⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"72⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad72⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"72⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h73⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h74⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"73⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad73⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"73⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h74⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h75⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"74⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad74⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"74⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h75⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h76⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"75⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad75⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"75⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h76⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h77⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"76⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad76⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"76⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h77⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h78⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"77⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad77⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"77⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h78⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h79⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"78⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad78⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"78⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h79⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h80⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"79⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad79⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"79⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h80⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h81⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"80⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad80⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"80⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h81⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h82⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"81⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad81⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"81⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h82⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h83⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"82⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad82⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"82⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h83⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h84⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"83⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad83⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"83⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h84⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h85⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"84⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad84⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"84⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h85⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h86⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"85⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad85⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"85⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h86⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h87⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"86⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad86⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"86⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h87⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h88⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"87⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad87⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"87⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h88⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h89⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"88⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad88⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"88⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h89⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h90⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"89⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad89⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"89⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h90⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h91⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"90⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad90⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"90⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h91⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h92⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"91⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad91⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"91⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h92⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h93⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"92⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad92⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"92⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h93⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h94⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"93⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad93⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"93⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h94⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h95⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"94⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad94⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"94⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h95⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h96⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"95⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad95⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"95⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h96⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h97⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"96⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad96⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"96⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h97⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h98⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"97⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad97⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"97⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h98⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h99⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"98⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad98⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"98⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h99⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h100⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"99⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad99⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"99⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h100⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h101⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"100⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad100⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"100⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h101⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h102⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"101⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad101⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"101⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h102⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h103⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"102⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad102⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"102⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h103⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h104⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"103⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad103⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"103⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h104⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h105⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"104⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad104⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"104⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h105⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h106⤵
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"105⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad105⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11940 -s 76106⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"105⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h106⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h107⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"106⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad106⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"106⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h107⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h108⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"107⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad107⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"107⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h108⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h109⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"108⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad108⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"108⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h109⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h110⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"109⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad109⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"109⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h110⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h111⤵
- Sets file to hidden
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"110⤵
-
-
C:\Windows\SysWOW64\notepad.exenotepad110⤵
-
-
C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"C:\Windows\system32\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe"110⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h111⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\MSDCSC\Yf3o5TbGwnLJ\Yf3o5TbGwnLJ\msdcsc.exe" +s +h112⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"C:\Users\Admin\AppData\Local\Temp\MT2-MULTI.EXE"111⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 11940 -ip 119401⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1017B
MD5e8418b1de6056eba9bc6ab0c39816d92
SHA184f1a312e1e091a6a3a2732dfaadb184925ecf23
SHA256dc03a6cb5d890b394710e7e7e62078769e022f67fc860ef395c9266cc6e366c3
SHA5125850e9ae599d8e331cd1de9d588b6141a5fb49535465269e77f48f5f8c502e8031bc8db323c24ea8d4848fc65504ae1fbd6fde668ed14ae1f5671efccdc8215b
-
Filesize
4.0MB
MD5ccc17e89b056812ed0974d656b1238af
SHA13cb7818b697a97a51765849dfdc1d907a53e3b46
SHA2565665f6c603b8356a61fe90d5d90b0ea945342c90210eccdf4884d1ca88013703
SHA51267c327330ea33026e447c3b636c86833145e2b9931b423cfa906c4d0423504e7d374f389cb3c1b31cc98e3f235b9e0e14d633b0b7df1f0135b5df71187510601
-
Filesize
5KB
MD5ecd47ce38514bdcc77261d7999c1fc31
SHA12474132673bff0597126066a02aacf93d121df33
SHA2567de3ed1684a75828b8b018b657377526d3757ec12c3bae23b791397d99725177
SHA512f444739eba131ead9fb3758866c695da3e9b71fcd17f9a9b6f17a8385eadb2d9c5b525048c2ec79792e6524f2620c73151fc49956335b684756f3dec8e97d800
-
Filesize
4.0MB
MD5d7f078c90867fcde7c5d8436cc56971c
SHA1b1f71f7496418a479ceaf584d010b5c33dd8974e
SHA25690e38a646c07e5ea8456459bee2d07920e48bd916e841f8328372d2971a74c98
SHA5122b44e4e583c8d6205d1e5532c50d2811bc704455ba89312746084a2a3d5e688c7a12c3fcd5c2031abb6a84a2eb9f8406f1096f1236bcc1496bde07365dbaba13
-
Filesize
105B
MD5f856c5b043e95b51974550405aef95af
SHA1e7e8b5e0000fdb416a46c3d95316520e92c5185e
SHA256b1bb1ad59ab40011980401ad514b4e7a2adcba56912045afbad090f593fce813
SHA512e38a84fd7baef517a9cf031c69ce63cb4136de2ec2cf8665d24b9632faf5fed523b73754225c6cce92967ea378f85d21c21e0735dc070891f1a52a57f769927f
-
Filesize
3KB
MD5bd2a5779cc56ea237fcf3190e3a0c0e8
SHA13b017ae3f3e64754f99ab3803560aa154f03d5d6
SHA256e1be3b513f11f6745da58ca609704591658510dfb58a42fc660f86dae68a4992
SHA512ee664522f20f364d2d99ebeaedc639d156f96d1674fe0ae20c4b817b0043de471caf5d69ec7a7711aa81e7e1e9237de168f3a45e734f44ca74ce84cdc9fbc65a
-
Filesize
4.6MB
MD5d35685275d19eba3a22a46003858b4b0
SHA1196ffdf8fab82a9fe1a268cd6a6897ef331b46bb
SHA25660ff0dd4a4a0b8c91976c26283c7d5a4fb23bb78af17de520526447b010e4063
SHA5125e33cd1983d05b9697ef3a0cb4ac8129f53b0156c434dad1398dec6e67b44e5fa82d531741b8afcf32e8106d59d64aeba5e71e53a6dba352d4f89621217374cf
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB