skuld | 414180a9f9707cb3501546487051badead26b0d08d0143302c62f84b81a565f5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

8.6MB
MD5

1f5d19397b48172aba35885f39e318fa
SHA1

df77020bffc62f386b5ce0ad0cde3d8f8b704b93
SHA256

dd780875686be33910002f91aaeb8f8ec70a2f3972c41c707a59ef18cd900e74
SHA512

4ccec7c602582d467a63e8f6e8fc222e73bb88a589256fac0577452b6ffaaec58adf2b5e216f8a27404c4717a74f239ce73226385133764b75baa775b25de4a0
SSDEEP

196608:u9+8ZspGS5puzUZqVBU6NABaScfR3xeUDyzfS/FNgeLCtNP:u9+EEp5ZqPBOhcftAUDyzqNutNP

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1320235014511792160/59qb1BvUIDJlYJZoQnnxe4CNf8Swi8--Nwm7q4BECFectFCCJWiM-H8Ng2tA4-dl6Vyb

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Comet.exe

Executes dropped EXE 55 IoCs

pid	Process
1352	deltadll.exe
3280	deltadll.exe
4416	deltadll.exe
2292	deltadll.exe
4276	deltadll.exe
3564	deltadll.exe
2856	deltadll.exe
4072	deltadll.exe
1060	deltadll.exe
3696	deltadll.exe
1628	deltadll.exe
4668	deltadll.exe
2256	deltadll.exe
4360	deltadll.exe
4812	deltadll.exe
856	deltadll.exe
1608	deltadll.exe
2436	deltadll.exe
4504	deltadll.exe
1368	deltadll.exe
3148	deltadll.exe
3308	deltadll.exe
768	deltadll.exe
2984	deltadll.exe
3776	deltadll.exe
3276	deltadll.exe
4092	deltadll.exe
376	deltadll.exe
2912	deltadll.exe
4736	deltadll.exe
4932	deltadll.exe
4764	deltadll.exe
4996	deltadll.exe
1176	deltadll.exe
1240	deltadll.exe
2396	deltadll.exe
3360	deltadll.exe
4256	deltadll.exe
4224	deltadll.exe
3140	deltadll.exe
2980	deltadll.exe
1204	deltadll.exe
2644	deltadll.exe
864	deltadll.exe
5068	deltadll.exe
4928	deltadll.exe
2444	deltadll.exe
2320	deltadll.exe
4452	deltadll.exe
2064	deltadll.exe
940	deltadll.exe
4572	deltadll.exe
1308	deltadll.exe
2216	deltadll.exe
1676	deltadll.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
61	ip-api.com
88	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	Comet.exe
Token: SeDebugPrivilege	1352	deltadll.exe
Token: SeDebugPrivilege	2068	Comet.exe
Token: SeDebugPrivilege	3280	deltadll.exe
Token: SeDebugPrivilege	528	Comet.exe
Token: SeDebugPrivilege	4416	deltadll.exe
Token: SeDebugPrivilege	1700	Comet.exe
Token: SeDebugPrivilege	2292	deltadll.exe
Token: SeDebugPrivilege	2484	Comet.exe
Token: SeDebugPrivilege	4276	deltadll.exe
Token: SeDebugPrivilege	2536	Comet.exe
Token: SeDebugPrivilege	3564	deltadll.exe
Token: SeDebugPrivilege	2664	Comet.exe
Token: SeDebugPrivilege	2856	deltadll.exe
Token: SeDebugPrivilege	2212	Comet.exe
Token: SeDebugPrivilege	4072	deltadll.exe
Token: SeDebugPrivilege	4876	Comet.exe
Token: SeDebugPrivilege	1060	deltadll.exe
Token: SeDebugPrivilege	4936	Comet.exe
Token: SeDebugPrivilege	3696	deltadll.exe
Token: SeDebugPrivilege	4192	Comet.exe
Token: SeDebugPrivilege	1628	deltadll.exe
Token: SeDebugPrivilege	3008	Comet.exe
Token: SeDebugPrivilege	4668	deltadll.exe
Token: SeDebugPrivilege	1700	Comet.exe
Token: SeDebugPrivilege	2256	deltadll.exe
Token: SeDebugPrivilege	3364	Comet.exe
Token: SeDebugPrivilege	4360	deltadll.exe
Token: SeDebugPrivilege	3336	Comet.exe
Token: SeDebugPrivilege	4812	deltadll.exe
Token: SeDebugPrivilege	3316	Comet.exe
Token: SeDebugPrivilege	856	deltadll.exe
Token: SeDebugPrivilege	1256	Comet.exe
Token: SeDebugPrivilege	1608	deltadll.exe
Token: SeDebugPrivilege	4756	Comet.exe
Token: SeDebugPrivilege	2436	deltadll.exe
Token: SeDebugPrivilege	224	Comet.exe
Token: SeDebugPrivilege	4504	deltadll.exe
Token: SeDebugPrivilege	400	Comet.exe
Token: SeDebugPrivilege	1368	deltadll.exe
Token: SeDebugPrivilege	3140	Comet.exe
Token: SeDebugPrivilege	3148	deltadll.exe
Token: SeDebugPrivilege	4432	Comet.exe
Token: SeDebugPrivilege	3308	deltadll.exe
Token: SeDebugPrivilege	1700	Comet.exe
Token: SeDebugPrivilege	768	deltadll.exe
Token: SeDebugPrivilege	3524	Comet.exe
Token: SeDebugPrivilege	2984	deltadll.exe
Token: SeDebugPrivilege	2852	Comet.exe
Token: SeDebugPrivilege	3776	deltadll.exe
Token: SeDebugPrivilege	632	Comet.exe
Token: SeDebugPrivilege	3276	deltadll.exe
Token: SeDebugPrivilege	220	Comet.exe
Token: SeDebugPrivilege	4092	deltadll.exe
Token: SeDebugPrivilege	2360	Comet.exe
Token: SeDebugPrivilege	376	deltadll.exe
Token: SeDebugPrivilege	3348	Comet.exe
Token: SeDebugPrivilege	2912	deltadll.exe
Token: SeDebugPrivilege	1412	Comet.exe
Token: SeDebugPrivilege	4736	deltadll.exe
Token: SeDebugPrivilege	2484	Comet.exe
Token: SeDebugPrivilege	4932	deltadll.exe
Token: SeDebugPrivilege	4508	Comet.exe
Token: SeDebugPrivilege	4764	deltadll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2068	3680	Comet.exe	83
PID 3680 wrote to memory of 2068	3680	Comet.exe	83
PID 3680 wrote to memory of 1352	3680	Comet.exe	84
PID 3680 wrote to memory of 1352	3680	Comet.exe	84
PID 1352 wrote to memory of 1608	1352	deltadll.exe	86
PID 1352 wrote to memory of 1608	1352	deltadll.exe	86
PID 2068 wrote to memory of 528	2068	Comet.exe	87
PID 2068 wrote to memory of 528	2068	Comet.exe	87
PID 2068 wrote to memory of 3280	2068	Comet.exe	88
PID 2068 wrote to memory of 3280	2068	Comet.exe	88
PID 3280 wrote to memory of 1996	3280	deltadll.exe	90
PID 3280 wrote to memory of 1996	3280	deltadll.exe	90
PID 528 wrote to memory of 1700	528	Comet.exe	91
PID 528 wrote to memory of 1700	528	Comet.exe	91
PID 528 wrote to memory of 4416	528	Comet.exe	92
PID 528 wrote to memory of 4416	528	Comet.exe	92
PID 4416 wrote to memory of 3824	4416	deltadll.exe	94
PID 4416 wrote to memory of 3824	4416	deltadll.exe	94
PID 1700 wrote to memory of 2484	1700	Comet.exe	95
PID 1700 wrote to memory of 2484	1700	Comet.exe	95
PID 1700 wrote to memory of 2292	1700	Comet.exe	96
PID 1700 wrote to memory of 2292	1700	Comet.exe	96
PID 2292 wrote to memory of 3596	2292	deltadll.exe	98
PID 2292 wrote to memory of 3596	2292	deltadll.exe	98
PID 2484 wrote to memory of 2536	2484	Comet.exe	99
PID 2484 wrote to memory of 2536	2484	Comet.exe	99
PID 2484 wrote to memory of 4276	2484	Comet.exe	100
PID 2484 wrote to memory of 4276	2484	Comet.exe	100
PID 4276 wrote to memory of 436	4276	deltadll.exe	102
PID 4276 wrote to memory of 436	4276	deltadll.exe	102
PID 2536 wrote to memory of 2664	2536	Comet.exe	103
PID 2536 wrote to memory of 2664	2536	Comet.exe	103
PID 2536 wrote to memory of 3564	2536	Comet.exe	104
PID 2536 wrote to memory of 3564	2536	Comet.exe	104
PID 3564 wrote to memory of 4396	3564	deltadll.exe	106
PID 3564 wrote to memory of 4396	3564	deltadll.exe	106
PID 2664 wrote to memory of 2212	2664	Comet.exe	110
PID 2664 wrote to memory of 2212	2664	Comet.exe	110
PID 2664 wrote to memory of 2856	2664	Comet.exe	111
PID 2664 wrote to memory of 2856	2664	Comet.exe	111
PID 2856 wrote to memory of 4364	2856	deltadll.exe	113
PID 2856 wrote to memory of 4364	2856	deltadll.exe	113
PID 2212 wrote to memory of 4876	2212	Comet.exe	115
PID 2212 wrote to memory of 4876	2212	Comet.exe	115
PID 2212 wrote to memory of 4072	2212	Comet.exe	116
PID 2212 wrote to memory of 4072	2212	Comet.exe	116
PID 4072 wrote to memory of 4976	4072	deltadll.exe	118
PID 4072 wrote to memory of 4976	4072	deltadll.exe	118
PID 4876 wrote to memory of 4936	4876	Comet.exe	121
PID 4876 wrote to memory of 4936	4876	Comet.exe	121
PID 4876 wrote to memory of 1060	4876	Comet.exe	122
PID 4876 wrote to memory of 1060	4876	Comet.exe	122
PID 1060 wrote to memory of 4964	1060	deltadll.exe	124
PID 1060 wrote to memory of 4964	1060	deltadll.exe	124
PID 4936 wrote to memory of 4192	4936	Comet.exe	125
PID 4936 wrote to memory of 4192	4936	Comet.exe	125
PID 4936 wrote to memory of 3696	4936	Comet.exe	126
PID 4936 wrote to memory of 3696	4936	Comet.exe	126
PID 3696 wrote to memory of 2988	3696	deltadll.exe	128
PID 3696 wrote to memory of 2988	3696	deltadll.exe	128
PID 4192 wrote to memory of 3008	4192	Comet.exe	129
PID 4192 wrote to memory of 3008	4192	Comet.exe	129
PID 4192 wrote to memory of 1628	4192	Comet.exe	131
PID 4192 wrote to memory of 1628	4192	Comet.exe	131

Views/modifies file attributes 1 TTPs 56 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1516	attrib.exe
4976	attrib.exe
4916	attrib.exe
4976	attrib.exe
3964	attrib.exe
4560	attrib.exe
4964	attrib.exe
2896	attrib.exe
1072	attrib.exe
3748	attrib.exe
3596	attrib.exe
3596	attrib.exe
848	attrib.exe
1652	attrib.exe
2684	attrib.exe
4416	attrib.exe
3784	attrib.exe
2524	attrib.exe
1692	attrib.exe
436	attrib.exe
2252	attrib.exe
3268	attrib.exe
2988	attrib.exe
3192	attrib.exe
392	attrib.exe
556	attrib.exe
1608	attrib.exe
1244	attrib.exe
4224	attrib.exe
672	attrib.exe
1076	attrib.exe
4204	attrib.exe
4668	attrib.exe
3156	attrib.exe
4276	attrib.exe
4764	attrib.exe
4176	attrib.exe
1996	attrib.exe
4868	attrib.exe
4908	attrib.exe
216	attrib.exe
4292	attrib.exe
2704	attrib.exe
1772	attrib.exe
4364	attrib.exe
4092	attrib.exe
3536	attrib.exe
3596	attrib.exe
3044	attrib.exe
5008	attrib.exe
2596	attrib.exe
3660	attrib.exe
4396	attrib.exe
5028	attrib.exe
3740	attrib.exe
3824	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        22⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        24⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        26⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        28⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        30⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        32⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        33⤵
        Checks computer location settings
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        34⤵
        Checks computer location settings
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        35⤵
        Checks computer location settings
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        36⤵
        Checks computer location settings
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        37⤵
        Checks computer location settings
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        38⤵
        Checks computer location settings
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        39⤵
        Checks computer location settings
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        40⤵
        Checks computer location settings
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        41⤵
        Checks computer location settings
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        42⤵
        Checks computer location settings
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        43⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        44⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        45⤵
        Checks computer location settings
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        46⤵
        Checks computer location settings
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        47⤵
        Checks computer location settings
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        48⤵
        Checks computer location settings
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        49⤵
        Checks computer location settings
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        50⤵
        Checks computer location settings
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        51⤵
        Checks computer location settings
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        52⤵
        Checks computer location settings
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        53⤵
        Checks computer location settings
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        54⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        55⤵
        Checks computer location settings
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        56⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1676
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        57⤵
        Views/modifies file attributes
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2216
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        56⤵
        Views/modifies file attributes
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1308
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        55⤵
        Views/modifies file attributes
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4572
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        54⤵
        Views/modifies file attributes
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:940
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        53⤵
        Views/modifies file attributes
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2064
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        52⤵
        Views/modifies file attributes
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4452
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        51⤵
        Views/modifies file attributes
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2320
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        50⤵
        Views/modifies file attributes
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2444
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        49⤵
        Views/modifies file attributes
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4928
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        48⤵
        Views/modifies file attributes
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5068
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        47⤵
        Views/modifies file attributes
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:864
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        46⤵
        Views/modifies file attributes
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2644
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        45⤵
        Views/modifies file attributes
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1204
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        44⤵
        Views/modifies file attributes
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2980
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        43⤵
        Views/modifies file attributes
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3140
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        42⤵
        Views/modifies file attributes
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4224
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        41⤵
        Views/modifies file attributes
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4256
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        40⤵
        Views/modifies file attributes
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        38⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        39⤵
        Views/modifies file attributes
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2396
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        38⤵
        Views/modifies file attributes
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1240
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        37⤵
        Views/modifies file attributes
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1176
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        36⤵
        Views/modifies file attributes
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4996
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        35⤵
        Views/modifies file attributes
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        34⤵
        Views/modifies file attributes
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        33⤵
        Views/modifies file attributes
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        32⤵
        Views/modifies file attributes
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        31⤵
        Views/modifies file attributes
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        30⤵
        Views/modifies file attributes
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        29⤵
        Views/modifies file attributes
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        28⤵
        Views/modifies file attributes
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        27⤵
        Views/modifies file attributes
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        26⤵
        Views/modifies file attributes
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        25⤵
        Views/modifies file attributes
        
        PID:1652
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        25⤵
        Views/modifies file attributes
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        24⤵
        Views/modifies file attributes
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        23⤵
        Views/modifies file attributes
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        22⤵
        Views/modifies file attributes
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        21⤵
        Views/modifies file attributes
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        20⤵
        Views/modifies file attributes
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        19⤵
        Views/modifies file attributes
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        18⤵
        Views/modifies file attributes
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        17⤵
        Views/modifies file attributes
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        16⤵
        Views/modifies file attributes
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        15⤵
        Views/modifies file attributes
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        14⤵
        Views/modifies file attributes
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        13⤵
        Views/modifies file attributes
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        12⤵
        Views/modifies file attributes
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        11⤵
        Views/modifies file attributes
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        10⤵
        Views/modifies file attributes
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        9⤵
        Views/modifies file attributes
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        8⤵
        Views/modifies file attributes
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        7⤵
        Views/modifies file attributes
        
        PID:436
    - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        6⤵
        Views/modifies file attributes
        
        PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        5⤵
        Views/modifies file attributes
        
        PID:3824
- - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      4⤵
      Views/modifies file attributes
      PID:1996
- C:\Users\Admin\AppData\Local\Temp\deltadll.exe
  "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    3⤵
    - Views/modifies file attributes
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comet.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deltadll.exe

Filesize
14.8MB

MD5
19c446f51d203d1fb7eb23210709417b

SHA1
6e33b8d13d1539630615e581e5ab03de371c0dc6

SHA256
b67cae29bac60920b3edc02081da697c4c6486411c1bc77f29b68cb1f23e3ffc

SHA512
9d8601a0c2e090cd5fc6315c1671d669cd6a6bf20d3ef24cb1a111e344464913fe809c9b27d32608b93b988a37e59c90086ccf68545ce385ef58f96365a439df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
3.0MB

MD5
5f8f2988cd2a38ee9c45bf89505e961a

SHA1
1feac0a64e190364fa9aeedba712698ff25b1855

SHA256
66b2848387f73fd349473913286dc6e94bea2f27caebc30b2fb42b5830ea0ba5

SHA512
8229301fad44ae213bad43f67c5b66d94670cd910d8f3b1c0895f7bf22e45e1405d8024089253e19ea075f0d29bb569350f3b18e1bc5b6de6ecf566ca972ce4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.8MB

MD5
10337420cb980cf277ca0761c4140b48

SHA1
025dc4e2be63d9b35c4da25b60801b79d96dc451

SHA256
876b80573fe0ca9722e51e8dffd8f8657ccfc59cb40755b7d88cc9e7a9c8d807

SHA512
e5f581e94d9e9360f4e12d4004db037a374bda097da1de37d96272cb23c6a7b0f335fd737c73d935e76f4b72aa1e63d8030cfef11c2c0def5791a3c9ac537697

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
1.2MB

MD5
408107474cd8264197fe0d31feb6d160

SHA1
b8895ecefe1db6c5f28712087f5e0f4b4733e99a

SHA256
fddd88dd6dd304ad01f7e275b2cd9419ecc2922649336792d94b7b6d45e03530

SHA512
78626765926193b523fd8c6f0de6cb27d961345847c1a9e65d026304278074a31a8d38f56fc7cc6df0d3ece4784ecc8c7d8e9370ddd55240cbb0d06b26698ed6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
5.8MB

MD5
0d1fe544e6911231f63e966b1e31f327

SHA1
d522e5db49a5c16ca38ef4ccd4e3e95cba575fab

SHA256
83a25568ce6d88aea30d290bcaa4de7b86546521f852824fd6ebe21b6aabf13a

SHA512
3b4797277cafb37cec895fa3c92384d807f3472f6f7f0982c675cf0a615758329d40a77e5ce802276a8a22977b9a41522fdcc66e1642bfff6efacece1fb1f144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
4.3MB

MD5
c742e649e5feaaabb77cb10546d3fb7a

SHA1
b5af3515e724e598ea816646d2271f2514dcf7fb

SHA256
c49cb06318073c3b597fa4b7973b14a7263e8c91209c90470dd8c83a183983c1

SHA512
8c0f11f6969ff5dc77f2d3cf05e12f24a8fc58e078f3af14939c491e163da62ef2b86262f72186fb674409228983e3759e8c07eff89203520b67f851b836a18c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.9MB

MD5
22478954743868f7c63da20fc8753a00

SHA1
eebb1fd9b19b43998d385684cd2b0ed21326e39b

SHA256
f001a5e4a3bcafac5dc54a0be06392580c9e544a57642b8a511cb74a35f26cc0

SHA512
aa3b5bceced12f77ed4fdf9394ed8f37635cf20064d4e30d64f828b050d6d301e96aef365b60efa225583e8140a5ff2b95b978eb6f05a70da60fd8daa9cf64cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.1MB

MD5
60767502d26a110dcf063e38d44ebba8

SHA1
beedc4f6acaafdab5ed01ac72c4b2ba491eca496

SHA256
c8d40d78dd4bcce91053453d73df1c909c26e388200da6df36ea6ac3a101711c

SHA512
213594e611f3b1979eb40dd1dcc43fdb09d829135c2a20fe3c52b82ab061565b3d726b72d5948b7a34733e9ef1d81476333333e5469b14370a3a2f7fff290aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
8.8MB

MD5
575d27e038caf19f1ef2aa753e72e24d

SHA1
4c8d5f0ed27ea9f0eabd9612b8cfb81358cd39c1

SHA256
9cb5d8230272cd0af31f92315f98e633f3d1eb5a266c89008521d62304aca40e

SHA512
7877b12fab371d1d0271037959032208d1b2a7b02c96c322b4a6935d2e488d8e183c64c56fe05a2a4e5af72859bb46b065f7d4a9b04260228d04197832ffeb72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.0MB

MD5
708b2ee02ccdc43c2229674f3e929274

SHA1
d22d290cef5574c679a91e2299ddb30ed1b01500

SHA256
5604d10a21bd6a0816117b41ebd8823a947d447ef428f9675ec787174c82cc65

SHA512
c96e8840ddc3aedd32fcabd20057ffbedd46feea921e6ff9eeceb753b3b727223b0843eceddd6d7f645f8cb0a449b971ebc1cc7667e3ae4dc6d2229ae1e96210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.2MB

MD5
e68a72216491f99d033b21cfb562954f

SHA1
4943c3807287bb59465eb52f6e9d5cec003c41bf

SHA256
91d8b1745e27d53062f393e6cce7978ab9e814792fd7044505ccea2441521926

SHA512
0c87eb9235e5ebf7d81f466e8d838b4a69c2df7f99d9584f1cc4d57124c2f7fa896d4fbb393c30e3537b1035da56cd878f36f52932997247fbc0af4c972b8b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
32KB

MD5
b9e6f6108aeae2e72b186a3331be02d2

SHA1
74a6a99ce49df5deca1d17fd4b35a92eece1bf26

SHA256
898a053e92ebeb97df42850d70930957f35e829301f2cdca52a0521c4e8257a4

SHA512
c31020837b7a3b0ce9935b2661ccd93cd4f37ec0e0a420b6e6a9aab56e19bed7720a5885e18fce714297f549f54eba6c85b4fd8687977ab0e36f7d3e5975d515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
3.9MB

MD5
625f9bb83e99d33a2bca91f0ea3748db

SHA1
e9adcbd01be92ca01fdc0dedf75d1ebca26cec94

SHA256
b0f799e5cf45f15566003f8fc95a13502de3d30333c4d49328fb74c11bce1f26

SHA512
a5341fd3c0114a824791e5328e80410df08490dc5534360e007a5e83a6a9a19e375188bd7e4e30c1bdfd3fe2199295133578b5ff27ed5f67e00cb6a75e606fff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.4MB

MD5
81ca92629adb2701cef63d28627e2b22

SHA1
0f1a0806dfe3bc7f48fef0c1e7f706d29ed8cbab

SHA256
808d8355d9ea8e973a10ae6ab0a2a68e373984d21d30a58fb6090020feff7b43

SHA512
85be13c1acbff3dc29f1d42b1bcf4163557044230a042bc59c07ebb6aba705e3e30f6168a6e61fd0f1dcb4e279f5938f03bade95b7c375b4a3e98ee319c60a3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
4.4MB

MD5
ba5e5e577e3d76ec777cb612559f75ac

SHA1
8d5f5b5ba104ef5c5e9c2d999b44e7f976286259

SHA256
f36cd4233d943577202374e2d487fd4e5d7ed8bdde9865ccdbbc54e107c4d051

SHA512
87d3c7d0c011da22315acc96c78664dcc6a4eb7c4b0f779744447e6887f7e669a35bb0b240950049c7d4bedfcd0a2a483acfdda1340ae4854803d8911f66d317

Download Submit
memory/2068-16-0x00007FFB93F40000-0x00007FFB94A01000-memory.dmp

Filesize
10.8MB

Download
memory/2068-3-0x00007FFB93F40000-0x00007FFB94A01000-memory.dmp

Filesize
10.8MB

Download
memory/3680-0-0x00007FFB93F43000-0x00007FFB93F45000-memory.dmp

Filesize
8KB

Download
memory/3680-12-0x00007FFB93F40000-0x00007FFB94A01000-memory.dmp

Filesize
10.8MB

Download
memory/3680-2-0x00007FFB93F40000-0x00007FFB94A01000-memory.dmp

Filesize
10.8MB

Download
memory/3680-1-0x00000000004B0000-0x0000000000D5A000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads