e47b56e70d125b9dfe3f11dc5b50f4e7a64445fd24d08e473610ef989b383a49

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Slinky/Loader.exe
Size

18.4MB
MD5

2fdc48889ea411ba067e41cf0e8cfcbe
SHA1

6071e1684213eda46735d54a1d440e60f7946617
SHA256

b90885a042482dc4184a4dad64c06da3dc1f866e182ccb04baeaa33d6efda0d4
SHA512

121be2937214b34fb3531ab010ea0294c5dd485c2ba304bc17a5c3f17e2d64e80485adb1c2d1bc122330ffd0d30ad0fb7dd7859dc8bdbca28f0a79354839d154
SSDEEP

393216:zSgEaQOUsxWQ3mzFxORTzATDZRSbqoOjV65y3hd7pvk11DMTW2wOprJfn:zxERxsxOF4zATDKbq/j6sdlvo+vZn

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\CompPkgSrv.exe"	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	Loader.exe
2912	bcmdhd32.exe
2840	Loader.exe
2760	WindowsINF2.exe
1996	bcmdhd32.exe
2012	Loader.exe
2456	WindowsINF2.exe
780	bcmdhd32.exe
280	Loader.exe
2944	WindowsINF2.exe
1256	bcmdhd32.exe
1776	Loader.exe
2120	WindowsINF2.exe
2448	bcmdhd32.exe
1652	Loader.exe
828	WindowsINF2.exe
2408	bcmdhd32.exe
2392	Loader.exe
1744	WindowsINF2.exe
2144	bcmdhd32.exe
1756	Loader.exe
572	WindowsINF2.exe
1672	bcmdhd32.exe
1736	Loader.exe
1732	WindowsINF2.exe
2924	bcmdhd32.exe
2892	Loader.exe
2440	WindowsINF2.exe
2812	bcmdhd32.exe
2756	Loader.exe
2716	WindowsINF2.exe
1048	bcmdhd32.exe
1984	Loader.exe
696	WindowsINF2.exe
888	bcmdhd32.exe
2964	Loader.exe
1940	WindowsINF2.exe
784	bcmdhd32.exe
2260	Loader.exe
2432	WindowsINF2.exe
2040	bcmdhd32.exe
2228	Loader.exe
2832	WindowsINF2.exe
2292	bcmdhd32.exe
1028	Loader.exe
1812	WindowsINF2.exe
2544	bcmdhd32.exe
3040	Loader.exe
2552	WindowsINF2.exe
1648	bcmdhd32.exe
1628	Loader.exe
1732	WindowsINF2.exe
2908	bcmdhd32.exe
2888	Loader.exe
2752	WindowsINF2.exe
2776	bcmdhd32.exe
1536	Loader.exe
2764	WindowsINF2.exe
2456	bcmdhd32.exe
2932	Loader.exe
696	WindowsINF2.exe
1568	bcmdhd32.exe
2352	Loader.exe
1300	WindowsINF2.exe

Loads dropped DLL 64 IoCs

pid	Process
2612	Loader.exe
2912	bcmdhd32.exe
2912	bcmdhd32.exe
1996	bcmdhd32.exe
1996	bcmdhd32.exe
780	bcmdhd32.exe
780	bcmdhd32.exe
1256	bcmdhd32.exe
1256	bcmdhd32.exe
2448	bcmdhd32.exe
2448	bcmdhd32.exe
2408	bcmdhd32.exe
2408	bcmdhd32.exe
2144	bcmdhd32.exe
2144	bcmdhd32.exe
1672	bcmdhd32.exe
1672	bcmdhd32.exe
2924	bcmdhd32.exe
2924	bcmdhd32.exe
2812	bcmdhd32.exe
2812	bcmdhd32.exe
1048	bcmdhd32.exe
1048	bcmdhd32.exe
888	bcmdhd32.exe
888	bcmdhd32.exe
784	bcmdhd32.exe
784	bcmdhd32.exe
2040	bcmdhd32.exe
2040	bcmdhd32.exe
2292	bcmdhd32.exe
2292	bcmdhd32.exe
2544	bcmdhd32.exe
2544	bcmdhd32.exe
1648	bcmdhd32.exe
1648	bcmdhd32.exe
2908	bcmdhd32.exe
2908	bcmdhd32.exe
2776	bcmdhd32.exe
2776	bcmdhd32.exe
2456	bcmdhd32.exe
2456	bcmdhd32.exe
1568	bcmdhd32.exe
1568	bcmdhd32.exe
1932	bcmdhd32.exe
1932	bcmdhd32.exe
2288	bcmdhd32.exe
2288	bcmdhd32.exe
304	bcmdhd32.exe
304	bcmdhd32.exe
1044	bcmdhd32.exe
1044	bcmdhd32.exe
1284	bcmdhd32.exe
1284	bcmdhd32.exe
3044	bcmdhd32.exe
3044	bcmdhd32.exe
576	bcmdhd32.exe
576	bcmdhd32.exe
536	bcmdhd32.exe
536	bcmdhd32.exe
2728	bcmdhd32.exe
2728	bcmdhd32.exe
2148	bcmdhd32.exe
2148	bcmdhd32.exe
1544	bcmdhd32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259457056	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259458023	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259442501	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259445434	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259456541	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259452189	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259442782	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259446323	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259448304	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259446027	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259455699	Loader.exe
File created	C:\Windows\inf\helper.vbs	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259443921	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259444233	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259454139	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259438773	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259440379	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259451050	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259450161	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259451580	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259453140	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259456292	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259456806	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259441627	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259446916	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259449225	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259454747	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259435309	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259448632	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259453499	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259453811	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259457774	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259441939	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259451315	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259451861	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259455995	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259443078	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259448928	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259449537	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259445137	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259447743	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259437103	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259447181	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259448039	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259454435	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259455059	Loader.exe
File created	C:\Windows\inf\bcmdhd32.exe	Loader.exe
File opened for modification	C:\Windows\inf\helper.vbs	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259435855	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259457540	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259452813	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259439943	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259440941	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259443609	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259444841	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259436573	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259437868	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259441331	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259442220	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259444513	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259455387	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259449833	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259450738	Loader.exe
File created	C:\Windows\inf\__tmp_rar_sfx_access_check_259452516	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcmdhd32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe
2980	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2724	2612	Loader.exe	30
PID 2612 wrote to memory of 2724	2612	Loader.exe	30
PID 2612 wrote to memory of 2724	2612	Loader.exe	30
PID 2612 wrote to memory of 2724	2612	Loader.exe	30
PID 2724 wrote to memory of 2792	2724	Loader.exe	247
PID 2724 wrote to memory of 2792	2724	Loader.exe	247
PID 2724 wrote to memory of 2792	2724	Loader.exe	247
PID 2724 wrote to memory of 2912	2724	Loader.exe	32
PID 2724 wrote to memory of 2912	2724	Loader.exe	32
PID 2724 wrote to memory of 2912	2724	Loader.exe	32
PID 2724 wrote to memory of 2912	2724	Loader.exe	32
PID 2912 wrote to memory of 2840	2912	bcmdhd32.exe	33
PID 2912 wrote to memory of 2840	2912	bcmdhd32.exe	33
PID 2912 wrote to memory of 2840	2912	bcmdhd32.exe	33
PID 2912 wrote to memory of 2840	2912	bcmdhd32.exe	33
PID 2912 wrote to memory of 2760	2912	bcmdhd32.exe	291
PID 2912 wrote to memory of 2760	2912	bcmdhd32.exe	291
PID 2912 wrote to memory of 2760	2912	bcmdhd32.exe	291
PID 2912 wrote to memory of 2760	2912	bcmdhd32.exe	291
PID 2840 wrote to memory of 2640	2840	Loader.exe	215
PID 2840 wrote to memory of 2640	2840	Loader.exe	215
PID 2840 wrote to memory of 2640	2840	Loader.exe	215
PID 2840 wrote to memory of 1996	2840	Loader.exe	36
PID 2840 wrote to memory of 1996	2840	Loader.exe	36
PID 2840 wrote to memory of 1996	2840	Loader.exe	36
PID 2840 wrote to memory of 1996	2840	Loader.exe	36
PID 1996 wrote to memory of 2012	1996	bcmdhd32.exe	253
PID 1996 wrote to memory of 2012	1996	bcmdhd32.exe	253
PID 1996 wrote to memory of 2012	1996	bcmdhd32.exe	253
PID 1996 wrote to memory of 2012	1996	bcmdhd32.exe	253
PID 1996 wrote to memory of 2456	1996	bcmdhd32.exe	110
PID 1996 wrote to memory of 2456	1996	bcmdhd32.exe	110
PID 1996 wrote to memory of 2456	1996	bcmdhd32.exe	110
PID 1996 wrote to memory of 2456	1996	bcmdhd32.exe	110
PID 2012 wrote to memory of 536	2012	Loader.exe	259
PID 2012 wrote to memory of 536	2012	Loader.exe	259
PID 2012 wrote to memory of 536	2012	Loader.exe	259
PID 2012 wrote to memory of 780	2012	Loader.exe	181
PID 2012 wrote to memory of 780	2012	Loader.exe	181
PID 2012 wrote to memory of 780	2012	Loader.exe	181
PID 2012 wrote to memory of 780	2012	Loader.exe	181
PID 780 wrote to memory of 280	780	bcmdhd32.exe	186
PID 780 wrote to memory of 280	780	bcmdhd32.exe	186
PID 780 wrote to memory of 280	780	bcmdhd32.exe	186
PID 780 wrote to memory of 280	780	bcmdhd32.exe	186
PID 780 wrote to memory of 2944	780	bcmdhd32.exe	43
PID 780 wrote to memory of 2944	780	bcmdhd32.exe	43
PID 780 wrote to memory of 2944	780	bcmdhd32.exe	43
PID 780 wrote to memory of 2944	780	bcmdhd32.exe	43
PID 280 wrote to memory of 1312	280	Loader.exe	295
PID 280 wrote to memory of 1312	280	Loader.exe	295
PID 280 wrote to memory of 1312	280	Loader.exe	295
PID 280 wrote to memory of 1256	280	Loader.exe	153
PID 280 wrote to memory of 1256	280	Loader.exe	153
PID 280 wrote to memory of 1256	280	Loader.exe	153
PID 280 wrote to memory of 1256	280	Loader.exe	153
PID 1256 wrote to memory of 1776	1256	bcmdhd32.exe	266
PID 1256 wrote to memory of 1776	1256	bcmdhd32.exe	266
PID 1256 wrote to memory of 1776	1256	bcmdhd32.exe	266
PID 1256 wrote to memory of 1776	1256	bcmdhd32.exe	266
PID 1256 wrote to memory of 2120	1256	bcmdhd32.exe	300
PID 1256 wrote to memory of 2120	1256	bcmdhd32.exe	300
PID 1256 wrote to memory of 2120	1256	bcmdhd32.exe	300
PID 1256 wrote to memory of 2120	1256	bcmdhd32.exe	300

C:\Users\Admin\AppData\Local\Temp\Slinky\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Slinky\Loader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
    3⤵
    - Modifies WinLogon for persistence
    PID:2792
- - C:\Windows\INF\bcmdhd32.exe
    "C:\Windows\INF\bcmdhd32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        5⤵
        Modifies WinLogon for persistence
        
        PID:2640
    - - C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        7⤵
        Modifies WinLogon for persistence
        
        PID:536
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        9⤵
        Modifies WinLogon for persistence
        
        PID:1312
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        11⤵
        Modifies WinLogon for persistence
        
        PID:1752
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        13⤵
        Modifies WinLogon for persistence
        
        PID:1364
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        15⤵
        Modifies WinLogon for persistence
        
        PID:2220
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        17⤵
        Modifies WinLogon for persistence
        
        PID:1856
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        19⤵
        Modifies WinLogon for persistence
        
        PID:2920
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        21⤵
        Modifies WinLogon for persistence
        
        PID:2916
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        23⤵
        Modifies WinLogon for persistence
        
        PID:768
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        25⤵
        Modifies WinLogon for persistence
        
        PID:2984
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        27⤵
        Modifies WinLogon for persistence
        
        PID:1256
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        29⤵
        Modifies WinLogon for persistence
        
        PID:2448
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        31⤵
        Modifies WinLogon for persistence
        
        PID:1320
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        33⤵
        Modifies WinLogon for persistence
        
        PID:2008
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        35⤵
        Modifies WinLogon for persistence
        
        PID:3068
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        35⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        37⤵
        Modifies WinLogon for persistence
        
        PID:2276
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        37⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        39⤵
        Modifies WinLogon for persistence
        
        PID:2632
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        41⤵
        Modifies WinLogon for persistence
        
        PID:560
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        41⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        43⤵
        Modifies WinLogon for persistence
        
        PID:1948
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        43⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        45⤵
        Modifies WinLogon for persistence
        
        PID:1256
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        45⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        Drops file in Windows directory
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        47⤵
        
        PID:404
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        Drops file in Windows directory
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        49⤵
        Modifies WinLogon for persistence
        
        PID:1320
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        49⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        51⤵
        Modifies WinLogon for persistence
        
        PID:2008
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        51⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        Drops file in Windows directory
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        53⤵
        Modifies WinLogon for persistence
        
        PID:3068
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        53⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        Drops file in Windows directory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        55⤵
        Modifies WinLogon for persistence
        
        PID:2884
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        55⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        57⤵
        
        PID:2340
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        57⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        Drops file in Windows directory
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        59⤵
        Modifies WinLogon for persistence
        
        PID:560
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        59⤵
        Loads dropped DLL
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        Drops file in Windows directory
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        61⤵
        Modifies WinLogon for persistence
        
        PID:864
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        61⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        63⤵
        Modifies WinLogon for persistence
        
        PID:1256
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        63⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        65⤵
        Modifies WinLogon for persistence
        
        PID:2448
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        65⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        67⤵
        Modifies WinLogon for persistence
        
        PID:900
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        67⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        69⤵
        Modifies WinLogon for persistence
        
        PID:2544
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        70⤵
        Drops file in Windows directory
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        71⤵
        Modifies WinLogon for persistence
        
        PID:3068
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        72⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        73⤵
        Modifies WinLogon for persistence
        
        PID:2924
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        74⤵
        Drops file in Windows directory
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        75⤵
        Modifies WinLogon for persistence
        
        PID:2640
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        76⤵
        Drops file in Windows directory
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        77⤵
        Modifies WinLogon for persistence
        
        PID:780
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        78⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        79⤵
        Modifies WinLogon for persistence
        
        PID:1920
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        80⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        81⤵
        Modifies WinLogon for persistence
        
        PID:784
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        82⤵
        Drops file in Windows directory
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        83⤵
        Modifies WinLogon for persistence
        
        PID:2040
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        83⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        84⤵
        Drops file in Windows directory
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        85⤵
        Modifies WinLogon for persistence
        
        PID:1636
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        86⤵
        Drops file in Windows directory
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        87⤵
        Modifies WinLogon for persistence
        
        PID:2240
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        88⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        89⤵
        Modifies WinLogon for persistence
        
        PID:2164
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        90⤵
        Drops file in Windows directory
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        91⤵
        Modifies WinLogon for persistence
        
        PID:1620
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        92⤵
        Drops file in Windows directory
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        93⤵
        Modifies WinLogon for persistence
        
        PID:2632
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        94⤵
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        95⤵
        Modifies WinLogon for persistence
        
        PID:2604
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        96⤵
        Drops file in Windows directory
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        97⤵
        
        PID:1680
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        98⤵
        Drops file in Windows directory
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        99⤵
        
        PID:2052
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        100⤵
        Drops file in Windows directory
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        101⤵
        Modifies WinLogon for persistence
        
        PID:2616
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        102⤵
        Drops file in Windows directory
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        103⤵
        Modifies WinLogon for persistence
        
        PID:2264
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        104⤵
        Drops file in Windows directory
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        105⤵
        Modifies WinLogon for persistence
        
        PID:2392
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        106⤵
        Drops file in Windows directory
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        107⤵
        Modifies WinLogon for persistence
        
        PID:2200
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        108⤵
        Drops file in Windows directory
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        109⤵
        Modifies WinLogon for persistence
        
        PID:2784
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        109⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        110⤵
        Drops file in Windows directory
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        111⤵
        Modifies WinLogon for persistence
        
        PID:2916
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        112⤵
        Drops file in Windows directory
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        113⤵
        Modifies WinLogon for persistence
        
        PID:2012
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        113⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        114⤵
        Drops file in Windows directory
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        115⤵
        Modifies WinLogon for persistence
        
        PID:548
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        116⤵
        Drops file in Windows directory
        
        PID:536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        117⤵
        Modifies WinLogon for persistence
        
        PID:1200
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        118⤵
        Drops file in Windows directory
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        119⤵
        Modifies WinLogon for persistence
        
        PID:2404
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        120⤵
        Drops file in Windows directory
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        121⤵
        Modifies WinLogon for persistence
        
        PID:344
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        122⤵
        Drops file in Windows directory
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        123⤵
        
        PID:1872
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        124⤵
        Drops file in Windows directory
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        125⤵
        Modifies WinLogon for persistence
        
        PID:2328
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        126⤵
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        127⤵
        Modifies WinLogon for persistence
        
        PID:2228
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        128⤵
        Drops file in Windows directory
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        129⤵
        Modifies WinLogon for persistence
        
        PID:2800
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        130⤵
        Drops file in Windows directory
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        131⤵
        Modifies WinLogon for persistence
        
        PID:2680
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        132⤵
        Drops file in Windows directory
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        133⤵
        Modifies WinLogon for persistence
        
        PID:2848
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        134⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        135⤵
        
        PID:588
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        136⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        137⤵
        Modifies WinLogon for persistence
        
        PID:2384
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        138⤵
        Drops file in Windows directory
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        139⤵
        Modifies WinLogon for persistence
        
        PID:2260
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        140⤵
        Drops file in Windows directory
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\INF\helper.vbs"
        141⤵
        Modifies WinLogon for persistence
        
        PID:2220
        
        C:\Windows\INF\bcmdhd32.exe
        
        "C:\Windows\INF\bcmdhd32.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        142⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        142⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        140⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        138⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        136⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        134⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        132⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        130⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        128⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        126⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        124⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        122⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        120⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        118⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        116⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        114⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        112⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        110⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        108⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        106⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        104⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        102⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        100⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        98⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        96⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        94⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        92⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        90⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        88⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        86⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        84⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        82⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        80⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        78⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        76⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        74⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        72⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        70⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        68⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        66⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        64⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        62⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        60⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        58⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        56⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        54⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        52⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        50⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        48⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        46⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        44⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        42⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        40⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        38⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        36⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        34⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        32⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        30⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        28⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        26⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        24⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        22⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        20⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        18⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        16⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        14⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        12⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        10⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        8⤵
        Executes dropped EXE
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
        6⤵
        Executes dropped EXE
        
        PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsINF2.exe"
      4⤵
      Executes dropped EXE
      PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1636240914165954556628612270736356702710072166261589048364-20172635052019911380"
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
18.4MB

MD5
430c6e8959ea85f9c9909779018191e7

SHA1
be7cd5a3703deb83484e77296e71e8a6a0eac52e

SHA256
c912f79aa47dd0403b6b01764a86eef6a9b01d2852fe181370b896d9a289394c

SHA512
8afcfd3f73cfcad30d6ac9126d395ab1cfd1c907bc14d9b2038659d3f7067242979a738258d3afa7dc4909ada97c36700cc0cb704e2fea94ec701c73f14af8ca

Download Submit
C:\Windows\INF\helper.vbs

Filesize
197B

MD5
090c330a578a62382c49c247025f2f61

SHA1
83888f584ff0009622a133a5cc6ed7a5c7488fe5

SHA256
83f1480dd41f6b904dfc13a5f8bf184350f52cea41ae8e6c5eb122969337ee88

SHA512
01cb318276882e1c6f0ea672ecd7c4986eda0f7ff059606ca6f34e0a2dd38e1ed685fa5aafe7790e309ee3b4836179e01c6ddfa58b795866b733e40f0f70cb31

Download Submit
C:\Windows\inf\bcmdhd32.exe

Filesize
18.2MB

MD5
55e31f0ecd07c9b49d87bc11d642b088

SHA1
5a6d4123c271b76912580519dca43a41473fe716

SHA256
6882be40bd3c7db87dbbfa10afb7e0a754643250ccf797864566e00854907194

SHA512
d6fb730e0eae52a118f77cbe8c9df211cc30425b350ff6eaca1715c6a0827dda9de6fe582f4012315883a076f028f4a6ba0478b54b09b630bffdbe38c8edcc2c

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
18.5MB

MD5
22fe3206f3c1827d4a77f79401ab533b

SHA1
47ce070a7ec1460ce4677e1803fc8b51b48930b6

SHA256
690195c4c5bd794cfdb3c2a5ad154da5a4542b45c0a35832cfddeec6c0d08726

SHA512
8f2a503443142d6fb36aac7c834c75eb31d41bb95e451d3df0269adca181135d0ade184e5a2feefc8de801dd3062e8c8b7e8cfd377a0fb155c24a695d0eb5f17

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsINF2.exe

Filesize
225KB

MD5
3ba78c0e6cf82ee41740c3951f233cb8

SHA1
e8da222b1c129ffcd6c5f6db04d2d700fb397bc1

SHA256
190c5e452ca637149fcd5b7a734cf3a5fb9b9fd220882edd565ee82c1819033d

SHA512
499fc902820231fdc4868113edfd2cf6c990ba48bb63ce37cd4cd7637f4106160f5757313b752143440a7f7f977e7d93c04f589a7c754db50427f1c9ccb56926

Download Submit
memory/264-222-0x0000000000020000-0x000000000005E000-memory.dmp

Filesize
248KB

Download
memory/292-313-0x0000000000D40000-0x0000000000D7E000-memory.dmp

Filesize
248KB

Download
memory/404-366-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/572-94-0x0000000000110000-0x000000000014E000-memory.dmp

Filesize
248KB

Download
memory/696-132-0x0000000001010000-0x000000000104E000-memory.dmp

Filesize
248KB

Download
memory/696-177-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/768-262-0x0000000001170000-0x00000000011AE000-memory.dmp

Filesize
248KB

Download
memory/828-72-0x0000000000A00000-0x0000000000A3E000-memory.dmp

Filesize
248KB

Download
memory/1016-267-0x00000000003F0000-0x000000000042E000-memory.dmp

Filesize
248KB

Download
memory/1300-182-0x0000000000930000-0x000000000096E000-memory.dmp

Filesize
248KB

Download
memory/1356-401-0x0000000000E20000-0x0000000000E5E000-memory.dmp

Filesize
248KB

Download
memory/1588-386-0x0000000000DF0000-0x0000000000E2E000-memory.dmp

Filesize
248KB

Download
memory/1704-242-0x0000000000CA0000-0x0000000000CDE000-memory.dmp

Filesize
248KB

Download
memory/1708-237-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1732-162-0x0000000000F70000-0x0000000000FAE000-memory.dmp

Filesize
248KB

Download
memory/1732-105-0x0000000001370000-0x00000000013AE000-memory.dmp

Filesize
248KB

Download
memory/1744-83-0x0000000000B80000-0x0000000000BBE000-memory.dmp

Filesize
248KB

Download
memory/1744-371-0x00000000011A0000-0x00000000011DE000-memory.dmp

Filesize
248KB

Download
memory/1788-281-0x0000000000BD0000-0x0000000000C0E000-memory.dmp

Filesize
248KB

Download
memory/1812-152-0x0000000001200000-0x000000000123E000-memory.dmp

Filesize
248KB

Download
memory/1840-187-0x00000000008D0000-0x000000000090E000-memory.dmp

Filesize
248KB

Download
memory/1940-356-0x0000000000C00000-0x0000000000C3E000-memory.dmp

Filesize
248KB

Download
memory/1940-137-0x0000000000DD0000-0x0000000000E0E000-memory.dmp

Filesize
248KB

Download
memory/1944-323-0x00000000011C0000-0x00000000011FE000-memory.dmp

Filesize
248KB

Download
memory/1956-415-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/2000-217-0x0000000000FF0000-0x000000000102E000-memory.dmp

Filesize
248KB

Download
memory/2004-257-0x0000000000D90000-0x0000000000DCE000-memory.dmp

Filesize
248KB

Download
memory/2084-318-0x0000000000F40000-0x0000000000F7E000-memory.dmp

Filesize
248KB

Download
memory/2120-406-0x0000000000B60000-0x0000000000B9E000-memory.dmp

Filesize
248KB

Download
memory/2120-61-0x00000000010C0000-0x00000000010FE000-memory.dmp

Filesize
248KB

Download
memory/2124-308-0x0000000000850000-0x000000000088E000-memory.dmp

Filesize
248KB

Download
memory/2328-247-0x0000000001150000-0x000000000118E000-memory.dmp

Filesize
248KB

Download
memory/2340-347-0x00000000009C0000-0x00000000009FE000-memory.dmp

Filesize
248KB

Download
memory/2364-227-0x00000000009E0000-0x0000000000A1E000-memory.dmp

Filesize
248KB

Download
memory/2380-202-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

Filesize
248KB

Download
memory/2388-207-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2432-142-0x0000000000BE0000-0x0000000000C1E000-memory.dmp

Filesize
248KB

Download
memory/2440-116-0x00000000012C0000-0x00000000012FE000-memory.dmp

Filesize
248KB

Download
memory/2496-286-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2516-197-0x0000000000EE0000-0x0000000000F1E000-memory.dmp

Filesize
248KB

Download
memory/2552-157-0x0000000000FD0000-0x000000000100E000-memory.dmp

Filesize
248KB

Download
memory/2552-376-0x00000000011D0000-0x000000000120E000-memory.dmp

Filesize
248KB

Download
memory/2588-192-0x0000000000820000-0x000000000085E000-memory.dmp

Filesize
248KB

Download
memory/2616-232-0x0000000000BA0000-0x0000000000BDE000-memory.dmp

Filesize
248KB

Download
memory/2716-127-0x00000000009D0000-0x0000000000A0E000-memory.dmp

Filesize
248KB

Download
memory/2740-361-0x0000000000E70000-0x0000000000EAE000-memory.dmp

Filesize
248KB

Download
memory/2752-167-0x0000000000120000-0x000000000015E000-memory.dmp

Filesize
248KB

Download
memory/2760-33-0x00000000010D0000-0x000000000110E000-memory.dmp

Filesize
248KB

Download
memory/2764-172-0x0000000000CB0000-0x0000000000CEE000-memory.dmp

Filesize
248KB

Download
memory/2784-252-0x0000000000140000-0x000000000017E000-memory.dmp

Filesize
248KB

Download
memory/2788-212-0x0000000001110000-0x000000000114E000-memory.dmp

Filesize
248KB

Download
memory/2788-342-0x00000000008F0000-0x000000000092E000-memory.dmp

Filesize
248KB

Download
memory/2832-147-0x0000000000AF0000-0x0000000000B2E000-memory.dmp

Filesize
248KB

Download
memory/2876-391-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2936-396-0x00000000011F0000-0x000000000122E000-memory.dmp

Filesize
248KB

Download
memory/2944-50-0x0000000000D20000-0x0000000000D5E000-memory.dmp

Filesize
248KB

Download
memory/2972-328-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/3016-295-0x0000000000DC0000-0x0000000000DFE000-memory.dmp

Filesize
248KB

Download
memory/3028-381-0x0000000001280000-0x00000000012BE000-memory.dmp

Filesize
248KB

Download
memory/3048-276-0x0000000000240000-0x000000000027E000-memory.dmp

Filesize
248KB

Download
memory/3052-333-0x0000000000B90000-0x0000000000BCE000-memory.dmp

Filesize
248KB

Download