Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
e1d352f2b8632d80920f486f54e8a806
-
SHA1
64adc78b47c8deb4e62152f15bfa0a258818f020
-
SHA256
fbeb235e9a95e4cfefd6fe2201e3bf9350eb23f79a98c449613951c2384c4671
-
SHA512
70d6a300c8282f1db4e395a364999879a8329d113fca8c119e928e66100f4cb6098c41c7fab7e5f9ff348495944d505cf5764dbcbd3f349c7998ee0cc1835a74
-
SSDEEP
24576:axpuMVkynnbwNvDIVhpCeOHR8fxZUzx3OF9jx:epZnnMNvEhppqR8HUlePjx
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" hh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe,C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe -
Sets file to hidden 1 TTPs 48 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1344 attrib.exe 1508 attrib.exe 840 attrib.exe 1576 attrib.exe 3052 attrib.exe 1508 attrib.exe 2864 attrib.exe 1236 attrib.exe 2600 attrib.exe 648 attrib.exe 2064 attrib.exe 3064 attrib.exe 2748 attrib.exe 952 attrib.exe 2024 attrib.exe 864 attrib.exe 2108 attrib.exe 1912 attrib.exe 1432 attrib.exe 2752 attrib.exe 1000 attrib.exe 2948 attrib.exe 2744 attrib.exe 908 attrib.exe 2212 attrib.exe 1096 attrib.exe 1708 attrib.exe 1576 attrib.exe 2992 attrib.exe 2764 attrib.exe 2820 attrib.exe 648 attrib.exe 1296 attrib.exe 2600 attrib.exe 2312 attrib.exe 268 attrib.exe 2424 attrib.exe 1804 attrib.exe 952 attrib.exe 2896 attrib.exe 2220 attrib.exe 2888 attrib.exe 2084 attrib.exe 2696 attrib.exe 2404 attrib.exe 2232 attrib.exe 2992 attrib.exe 2064 attrib.exe -
Executes dropped EXE 50 IoCs
pid Process 2576 hh.exe 2816 129660.devid.info.exe 2728 129660.DEVID.INFO.EXE 2856 svch0stc.exe 3056 129660.DEVID.INFO.EXE 1128 svch0stc.exe 2008 129660.DEVID.INFO.EXE 1848 svch0stc.exe 820 129660.DEVID.INFO.EXE 2468 svch0stc.exe 2380 129660.DEVID.INFO.EXE 1032 svch0stc.exe 1864 129660.DEVID.INFO.EXE 1276 svch0stc.exe 920 129660.DEVID.INFO.EXE 1644 svch0stc.exe 2560 129660.DEVID.INFO.EXE 2528 svch0stc.exe 2876 129660.DEVID.INFO.EXE 2288 svch0stc.exe 2808 129660.DEVID.INFO.EXE 1760 svch0stc.exe 2148 129660.DEVID.INFO.EXE 2552 svch0stc.exe 2468 129660.DEVID.INFO.EXE 2192 svch0stc.exe 1928 129660.DEVID.INFO.EXE 1764 svch0stc.exe 2804 129660.DEVID.INFO.EXE 1396 svch0stc.exe 1528 129660.DEVID.INFO.EXE 1544 svch0stc.exe 944 129660.DEVID.INFO.EXE 1096 svch0stc.exe 2380 129660.DEVID.INFO.EXE 840 svch0stc.exe 2368 129660.DEVID.INFO.EXE 2804 svch0stc.exe 2384 129660.DEVID.INFO.EXE 952 svch0stc.exe 2200 129660.DEVID.INFO.EXE 1272 svch0stc.exe 1724 129660.DEVID.INFO.EXE 2808 svch0stc.exe 2668 129660.DEVID.INFO.EXE 1636 svch0stc.exe 908 129660.DEVID.INFO.EXE 1492 svch0stc.exe 1636 129660.DEVID.INFO.EXE 1324 svch0stc.exe -
Loads dropped DLL 64 IoCs
pid Process 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 2576 hh.exe 2576 hh.exe 2576 hh.exe 2856 svch0stc.exe 2856 svch0stc.exe 2856 svch0stc.exe 1128 svch0stc.exe 1128 svch0stc.exe 1128 svch0stc.exe 1848 svch0stc.exe 1848 svch0stc.exe 1848 svch0stc.exe 2468 svch0stc.exe 2468 svch0stc.exe 2468 svch0stc.exe 1032 svch0stc.exe 1032 svch0stc.exe 1032 svch0stc.exe 1276 svch0stc.exe 1276 svch0stc.exe 1276 svch0stc.exe 1644 svch0stc.exe 1644 svch0stc.exe 1644 svch0stc.exe 2528 svch0stc.exe 2528 svch0stc.exe 2528 svch0stc.exe 2288 svch0stc.exe 2288 svch0stc.exe 2288 svch0stc.exe 1760 svch0stc.exe 1760 svch0stc.exe 1760 svch0stc.exe 2552 svch0stc.exe 2552 svch0stc.exe 2552 svch0stc.exe 2192 svch0stc.exe 2192 svch0stc.exe 2192 svch0stc.exe 1764 svch0stc.exe 1764 svch0stc.exe 1764 svch0stc.exe 1396 svch0stc.exe 1396 svch0stc.exe 1396 svch0stc.exe 1544 svch0stc.exe 1544 svch0stc.exe 1544 svch0stc.exe 1096 svch0stc.exe 1096 svch0stc.exe 1096 svch0stc.exe 840 svch0stc.exe 840 svch0stc.exe 840 svch0stc.exe 2804 svch0stc.exe 2804 svch0stc.exe 2804 svch0stc.exe 952 svch0stc.exe 952 svch0stc.exe 952 svch0stc.exe 1272 svch0stc.exe -
Adds Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" hh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svch0stc.exe = "C:\\Windows\\system32\\svc\\svch0stc.exe" svch0stc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ hh.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe attrib.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File created C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\ svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc\svch0stc.exe svch0stc.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe File opened for modification C:\Windows\SysWOW64\svc attrib.exe -
resource yara_rule behavioral1/files/0x0008000000016276-14.dat upx behavioral1/memory/2816-19-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2816-44-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2728-86-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3056-94-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3056-120-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1128-125-0x00000000036B0000-0x00000000036D2000-memory.dmp upx behavioral1/memory/2008-154-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/820-162-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/820-189-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-197-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-224-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1864-232-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1032-231-0x00000000036D0000-0x00000000036F2000-memory.dmp upx behavioral1/memory/1864-259-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/920-266-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/920-293-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2560-301-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2560-329-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2876-358-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2808-363-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2808-386-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2148-414-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2468-419-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2468-441-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2192-446-0x0000000003570000-0x0000000003592000-memory.dmp upx behavioral1/memory/1928-447-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1928-470-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2804-475-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2804-498-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1528-504-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1528-527-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/944-555-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-561-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2380-584-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2368-590-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2368-613-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2384-618-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2384-641-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2200-669-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1724-697-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/908-725-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2668-747-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/908-749-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/1636-751-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.devid.info.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svch0stc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 129660.DEVID.INFO.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 48 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 536 cmd.exe 2728 cmd.exe 2544 PING.EXE 1956 PING.EXE 1096 PING.EXE 1144 PING.EXE 1768 cmd.exe 1332 cmd.exe 2000 PING.EXE 2816 cmd.exe 2432 PING.EXE 1324 PING.EXE 2024 PING.EXE 1724 cmd.exe 908 cmd.exe 2484 cmd.exe 1832 PING.EXE 2796 cmd.exe 2152 cmd.exe 1752 cmd.exe 900 cmd.exe 864 cmd.exe 1564 cmd.exe 2884 cmd.exe 2084 PING.EXE 676 cmd.exe 2780 PING.EXE 2448 cmd.exe 3016 cmd.exe 236 cmd.exe 1492 PING.EXE 2320 PING.EXE 2148 cmd.exe 1576 cmd.exe 1760 PING.EXE 3036 PING.EXE 2380 PING.EXE 1288 cmd.exe 1140 PING.EXE 1004 PING.EXE 936 PING.EXE 600 PING.EXE 1704 cmd.exe 2824 PING.EXE 2084 PING.EXE 2908 PING.EXE 2096 cmd.exe 268 PING.EXE -
Runs ping.exe 1 TTPs 24 IoCs
pid Process 268 PING.EXE 1760 PING.EXE 600 PING.EXE 2380 PING.EXE 1832 PING.EXE 2320 PING.EXE 936 PING.EXE 2024 PING.EXE 3036 PING.EXE 2544 PING.EXE 1144 PING.EXE 1140 PING.EXE 2084 PING.EXE 2908 PING.EXE 2432 PING.EXE 2084 PING.EXE 1004 PING.EXE 2780 PING.EXE 2000 PING.EXE 1096 PING.EXE 1956 PING.EXE 1492 PING.EXE 2824 PING.EXE 1324 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2576 hh.exe Token: SeSecurityPrivilege 2576 hh.exe Token: SeTakeOwnershipPrivilege 2576 hh.exe Token: SeLoadDriverPrivilege 2576 hh.exe Token: SeSystemProfilePrivilege 2576 hh.exe Token: SeSystemtimePrivilege 2576 hh.exe Token: SeProfSingleProcessPrivilege 2576 hh.exe Token: SeIncBasePriorityPrivilege 2576 hh.exe Token: SeCreatePagefilePrivilege 2576 hh.exe Token: SeBackupPrivilege 2576 hh.exe Token: SeRestorePrivilege 2576 hh.exe Token: SeShutdownPrivilege 2576 hh.exe Token: SeDebugPrivilege 2576 hh.exe Token: SeSystemEnvironmentPrivilege 2576 hh.exe Token: SeChangeNotifyPrivilege 2576 hh.exe Token: SeRemoteShutdownPrivilege 2576 hh.exe Token: SeUndockPrivilege 2576 hh.exe Token: SeManageVolumePrivilege 2576 hh.exe Token: SeImpersonatePrivilege 2576 hh.exe Token: SeCreateGlobalPrivilege 2576 hh.exe Token: 33 2576 hh.exe Token: 34 2576 hh.exe Token: 35 2576 hh.exe Token: SeIncreaseQuotaPrivilege 2856 svch0stc.exe Token: SeSecurityPrivilege 2856 svch0stc.exe Token: SeTakeOwnershipPrivilege 2856 svch0stc.exe Token: SeLoadDriverPrivilege 2856 svch0stc.exe Token: SeSystemProfilePrivilege 2856 svch0stc.exe Token: SeSystemtimePrivilege 2856 svch0stc.exe Token: SeProfSingleProcessPrivilege 2856 svch0stc.exe Token: SeIncBasePriorityPrivilege 2856 svch0stc.exe Token: SeCreatePagefilePrivilege 2856 svch0stc.exe Token: SeBackupPrivilege 2856 svch0stc.exe Token: SeRestorePrivilege 2856 svch0stc.exe Token: SeShutdownPrivilege 2856 svch0stc.exe Token: SeDebugPrivilege 2856 svch0stc.exe Token: SeSystemEnvironmentPrivilege 2856 svch0stc.exe Token: SeChangeNotifyPrivilege 2856 svch0stc.exe Token: SeRemoteShutdownPrivilege 2856 svch0stc.exe Token: SeUndockPrivilege 2856 svch0stc.exe Token: SeManageVolumePrivilege 2856 svch0stc.exe Token: SeImpersonatePrivilege 2856 svch0stc.exe Token: SeCreateGlobalPrivilege 2856 svch0stc.exe Token: 33 2856 svch0stc.exe Token: 34 2856 svch0stc.exe Token: 35 2856 svch0stc.exe Token: SeIncreaseQuotaPrivilege 1128 svch0stc.exe Token: SeSecurityPrivilege 1128 svch0stc.exe Token: SeTakeOwnershipPrivilege 1128 svch0stc.exe Token: SeLoadDriverPrivilege 1128 svch0stc.exe Token: SeSystemProfilePrivilege 1128 svch0stc.exe Token: SeSystemtimePrivilege 1128 svch0stc.exe Token: SeProfSingleProcessPrivilege 1128 svch0stc.exe Token: SeIncBasePriorityPrivilege 1128 svch0stc.exe Token: SeCreatePagefilePrivilege 1128 svch0stc.exe Token: SeBackupPrivilege 1128 svch0stc.exe Token: SeRestorePrivilege 1128 svch0stc.exe Token: SeShutdownPrivilege 1128 svch0stc.exe Token: SeDebugPrivilege 1128 svch0stc.exe Token: SeSystemEnvironmentPrivilege 1128 svch0stc.exe Token: SeChangeNotifyPrivilege 1128 svch0stc.exe Token: SeRemoteShutdownPrivilege 1128 svch0stc.exe Token: SeUndockPrivilege 1128 svch0stc.exe Token: SeManageVolumePrivilege 1128 svch0stc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2816 129660.devid.info.exe 2728 129660.DEVID.INFO.EXE 3056 129660.DEVID.INFO.EXE 2008 129660.DEVID.INFO.EXE 820 129660.DEVID.INFO.EXE 2380 129660.DEVID.INFO.EXE 1864 129660.DEVID.INFO.EXE 920 129660.DEVID.INFO.EXE 2560 129660.DEVID.INFO.EXE 2876 129660.DEVID.INFO.EXE 2808 129660.DEVID.INFO.EXE 2148 129660.DEVID.INFO.EXE 2468 129660.DEVID.INFO.EXE 1928 129660.DEVID.INFO.EXE 2804 129660.DEVID.INFO.EXE 1528 129660.DEVID.INFO.EXE 944 129660.DEVID.INFO.EXE 2380 129660.DEVID.INFO.EXE 2368 129660.DEVID.INFO.EXE 2384 129660.DEVID.INFO.EXE 2200 129660.DEVID.INFO.EXE 1724 129660.DEVID.INFO.EXE 2668 129660.DEVID.INFO.EXE 908 129660.DEVID.INFO.EXE 1636 129660.DEVID.INFO.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2576 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 31 PID 2160 wrote to memory of 2576 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 31 PID 2160 wrote to memory of 2576 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 31 PID 2160 wrote to memory of 2576 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 31 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2160 wrote to memory of 2816 2160 e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe 32 PID 2576 wrote to memory of 2880 2576 hh.exe 33 PID 2576 wrote to memory of 2880 2576 hh.exe 33 PID 2576 wrote to memory of 2880 2576 hh.exe 33 PID 2576 wrote to memory of 2880 2576 hh.exe 33 PID 2576 wrote to memory of 2616 2576 hh.exe 35 PID 2576 wrote to memory of 2616 2576 hh.exe 35 PID 2576 wrote to memory of 2616 2576 hh.exe 35 PID 2576 wrote to memory of 2616 2576 hh.exe 35 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2576 wrote to memory of 2728 2576 hh.exe 37 PID 2616 wrote to memory of 2888 2616 cmd.exe 38 PID 2616 wrote to memory of 2888 2616 cmd.exe 38 PID 2616 wrote to memory of 2888 2616 cmd.exe 38 PID 2616 wrote to memory of 2888 2616 cmd.exe 38 PID 2880 wrote to memory of 648 2880 cmd.exe 39 PID 2880 wrote to memory of 648 2880 cmd.exe 39 PID 2880 wrote to memory of 648 2880 cmd.exe 39 PID 2880 wrote to memory of 648 2880 cmd.exe 39 PID 2576 wrote to memory of 1288 2576 hh.exe 40 PID 2576 wrote to memory of 1288 2576 hh.exe 40 PID 2576 wrote to memory of 1288 2576 hh.exe 40 PID 2576 wrote to memory of 1288 2576 hh.exe 40 PID 1288 wrote to memory of 2000 1288 cmd.exe 42 PID 1288 wrote to memory of 2000 1288 cmd.exe 42 PID 1288 wrote to memory of 2000 1288 cmd.exe 42 PID 1288 wrote to memory of 2000 1288 cmd.exe 42 PID 2576 wrote to memory of 2856 2576 hh.exe 43 PID 2576 wrote to memory of 2856 2576 hh.exe 43 PID 2576 wrote to memory of 2856 2576 hh.exe 43 PID 2576 wrote to memory of 2856 2576 hh.exe 43 PID 2856 wrote to memory of 2940 2856 svch0stc.exe 44 PID 2856 wrote to memory of 2940 2856 svch0stc.exe 44 PID 2856 wrote to memory of 2940 2856 svch0stc.exe 44 PID 2856 wrote to memory of 2940 2856 svch0stc.exe 44 PID 2856 wrote to memory of 1440 2856 svch0stc.exe 45 PID 2856 wrote to memory of 1440 2856 svch0stc.exe 45 PID 2856 wrote to memory of 1440 2856 svch0stc.exe 45 PID 2856 wrote to memory of 1440 2856 svch0stc.exe 45 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2856 wrote to memory of 3056 2856 svch0stc.exe 48 PID 2940 wrote to memory of 2948 2940 cmd.exe 49 PID 2940 wrote to memory of 2948 2940 cmd.exe 49 PID 2940 wrote to memory of 2948 2940 cmd.exe 49 -
Views/modifies file attributes 1 TTPs 48 IoCs
pid Process 2748 attrib.exe 2992 attrib.exe 2212 attrib.exe 2220 attrib.exe 1912 attrib.exe 1708 attrib.exe 2864 attrib.exe 1236 attrib.exe 2992 attrib.exe 2064 attrib.exe 2752 attrib.exe 2696 attrib.exe 2064 attrib.exe 908 attrib.exe 2764 attrib.exe 2232 attrib.exe 2820 attrib.exe 1000 attrib.exe 1508 attrib.exe 1576 attrib.exe 2024 attrib.exe 2404 attrib.exe 2896 attrib.exe 952 attrib.exe 3064 attrib.exe 2744 attrib.exe 1508 attrib.exe 1576 attrib.exe 2108 attrib.exe 1296 attrib.exe 1804 attrib.exe 648 attrib.exe 2084 attrib.exe 840 attrib.exe 3052 attrib.exe 952 attrib.exe 1344 attrib.exe 648 attrib.exe 2312 attrib.exe 2888 attrib.exe 2424 attrib.exe 1096 attrib.exe 864 attrib.exe 2600 attrib.exe 1432 attrib.exe 2600 attrib.exe 268 attrib.exe 2948 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1d352f2b8632d80920f486f54e8a806_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\hh.exe"C:\Users\Admin\AppData\Local\Temp\hh.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hh.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\hh.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2728
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\hh.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 44⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h4⤵PID:1440
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2084
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1564 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 45⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1096
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1128 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h5⤵PID:1736
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:840
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2008
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:236 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 46⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1832
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h6⤵PID:2076
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h7⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h6⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2064
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:820
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2884 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 47⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h7⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h7⤵PID:2300
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"7⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1704 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 48⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:268
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h8⤵PID:2140
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h8⤵PID:2776
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"8⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2484 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 49⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1144
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h9⤵PID:1640
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h9⤵PID:1632
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:952
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:920
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"9⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1768 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 410⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1492
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h10⤵PID:2536
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h10⤵PID:1480
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"10⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:536 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 411⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2824
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h11⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h12⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"11⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 412⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h12⤵PID:2720
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h12⤵PID:1756
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h13⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2864
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2808
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"12⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1332 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 413⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1140
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h13⤵PID:2020
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h13⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1576
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"13⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2796 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 414⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h14⤵PID:2364
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h15⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h14⤵PID:2656
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1236
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"14⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2468
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"14⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2152 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 415⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h15⤵PID:2348
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h15⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h16⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:908
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1928
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"15⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1752 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 416⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h16⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h16⤵PID:1664
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h17⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2992
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2804
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2816 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 417⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2908
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h17⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2212
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h17⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2232
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"17⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"17⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:676 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 418⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:936
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h18⤵PID:2436
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h18⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h19⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:944
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:900 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 419⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2780
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h19⤵PID:2340
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h19⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"19⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 420⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h20⤵PID:2400
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h20⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2992
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"20⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2148 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 421⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1324
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h21⤵PID:2552
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h22⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h21⤵PID:2468
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1912
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"21⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 422⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h22⤵PID:2396
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h22⤵PID:2892
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"22⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"22⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2096 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 423⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2024
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h23⤵PID:2532
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h23⤵PID:1156
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h24⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"23⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2448 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 424⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3036
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h24⤵PID:2200
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1296
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h24⤵PID:2512
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:268
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"24⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"24⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3016 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 425⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:600
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h25⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2424
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h25⤵PID:2652
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:908
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"25⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 426⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h26⤵PID:2424
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc\svch0stc.exe" +s +h27⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svc" +s +h26⤵PID:2212
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\svc" +s +h27⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1804
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"C:\Users\Admin\AppData\Local\Temp\129660.DEVID.INFO.EXE"26⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\svc\svch0stc.exe"26⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:908 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 427⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
-
C:\Windows\SysWOW64\svc\svch0stc.exe"C:\Windows\system32\svc\svch0stc.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\129660.devid.info.exe"C:\Users\Admin\AppData\Local\Temp\129660.devid.info.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD5c4b470269324517ee838789c7cf5e606
SHA17005597d55fb26c6260e0772f301c79f030e6d56
SHA2565f9b898315ad8192e87e21a499fd87d31b886513bb39d368476174aaa89a2bf9
SHA512dbadca544434a847238bf107e59aa84bf8df9df899d0c2da2ee62cc28e12d175a81d4e4e0f85d7c394323bf66fb4ac0f413c949700ecdec9a73ed5cf9340aebb
-
Filesize
124KB
MD553b4d555c26e8ab79f37b1a080bd1021
SHA10ecb19d93247302667667537c80091c8b20b52a7
SHA2567ffd04c501481418f40d0e060692380f454f58447ea05368a6377e8e0873fa88
SHA512e388d4d4234fbfd73677c524f0e4123616bd21eb179103b68e6332d9948c202ff0f58f062464f96c401b35306a072533e48caa8c83868eb13fde3047318f9377
-
Filesize
96B
MD5995e05476319ea9d3e4788cd4be7c4d7
SHA1728844ebbe6edbd7100fb4111fdd464e1b1588e2
SHA256ed04a5d4f98937341704abf7d3f45525ad99cdadc75ad2d9758eb3b8a5cabc25
SHA512891f01db8c0e4f8da4eb81fd3419c8caedaf593f9b96cf9cbbccfc11cf88d67b0888a0b70e9b0e93f29e60aa94debb32b9788227abef1fb4307e81a87ace39a9
-
Filesize
25KB
MD569f5462fbb07514b12fbdaded96179a5
SHA1a46a12c4925b1fb4950c8b2cbb8642c254817fff
SHA2568a94fd96bc4a69686fa04576ee5c886368c5a1870ea6d8212332c96bc00267e3
SHA5128b6f7398cabde07035d41973eb75b5a6be7e1c21c36ae2ff034f715e5b7699db93ff4a5bb4456b7a88f95c603d577caa112298cde41fcb5580e92b69a0b07d46
-
Filesize
35KB
MD5ccf453c1d9ef8f5720d409df6e5d149e
SHA12c298fd46ebb8eee934b9d6d447feaea9f1e9f12
SHA25603b9ee5ce4c4eaefcdb042555594cc2133344f173f0b30068a83563fee5b864e
SHA5120f757f7350ae16e3dd8526095b2ea63c6bd5640d99afdc1311d34f62a4011de7768b7b6516da182a6b99c76e7fd706daf980376572f8ffc2e4fe0f907754c29b
-
Filesize
152KB
MD50464f7cd5a269ce6d73e113ff88e40c2
SHA1e3536313e6444849ae348bdeac2b7c7ae0f35c73
SHA2560c5309e712ab405e1ea0e5b44ca653df714f5a6f1c009fd5e858d7f6966e1d5a
SHA51211fc5b0c14037fe1e337358abe3936ff1d54cbbdcebb443db91caec1ec347cbe8c1254fa17892904979acb633ab067316c412fc225ca26e79018dbeb221f5a06
-
Filesize
831KB
MD5fbd1bf7fbed25ea9ba00f02dfdd9df86
SHA10d0bdc9132c72ff3de86d32b4659b5a7bb4b613c
SHA256171eb2b75643e66deb5cc6b1a7c6f9633e72fafd6012e7a17e1d97f9c2a513d0
SHA5125577328bfe7bb521cf3c8e1a9872ef251a42e2c7d5f86fc9c4275edf7ec59295d8f354a1c7568cab588bd63719edd3de12a769fe0423a2a6173c246e780a3834