skuld | 414180a9f9707cb3501546487051badead26b0d08d0143302c62f84b81a565f5

Resubmissions

26-12-2024 10:52

241226-myqcmatlhx 10

26-12-2024 10:39

241226-mp9pxatjfz 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

8.6MB
MD5

1f5d19397b48172aba35885f39e318fa
SHA1

df77020bffc62f386b5ce0ad0cde3d8f8b704b93
SHA256

dd780875686be33910002f91aaeb8f8ec70a2f3972c41c707a59ef18cd900e74
SHA512

4ccec7c602582d467a63e8f6e8fc222e73bb88a589256fac0577452b6ffaaec58adf2b5e216f8a27404c4717a74f239ce73226385133764b75baa775b25de4a0
SSDEEP

196608:u9+8ZspGS5puzUZqVBU6NABaScfR3xeUDyzfS/FNgeLCtNP:u9+EEp5ZqPBOhcftAUDyzqNutNP

Score

10^/10

skuld persistence stealer

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1320235014511792160/59qb1BvUIDJlYJZoQnnxe4CNf8Swi8--Nwm7q4BECFectFCCJWiM-H8Ng2tA4-dl6Vyb

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Comet.exe

Executes dropped EXE 61 IoCs

pid	Process
2940	deltadll.exe
1908	deltadll.exe
1676	deltadll.exe
1884	deltadll.exe
4400	deltadll.exe
3968	deltadll.exe
3436	deltadll.exe
920	deltadll.exe
2604	deltadll.exe
2920	deltadll.exe
1400	deltadll.exe
4276	deltadll.exe
1736	deltadll.exe
368	deltadll.exe
2460	deltadll.exe
4304	deltadll.exe
4916	deltadll.exe
3076	deltadll.exe
1880	deltadll.exe
4628	deltadll.exe
1364	deltadll.exe
4484	deltadll.exe
1756	deltadll.exe
1508	deltadll.exe
4196	deltadll.exe
5112	deltadll.exe
868	deltadll.exe
1416	deltadll.exe
4516	deltadll.exe
1940	deltadll.exe
1260	deltadll.exe
4492	deltadll.exe
1724	deltadll.exe
1624	deltadll.exe
1352	deltadll.exe
4932	deltadll.exe
1460	deltadll.exe
4812	deltadll.exe
2656	deltadll.exe
3076	deltadll.exe
4344	deltadll.exe
1724	deltadll.exe
1624	deltadll.exe
1352	deltadll.exe
888	deltadll.exe
4412	deltadll.exe
1220	deltadll.exe
1980	deltadll.exe
4460	deltadll.exe
4344	deltadll.exe
868	deltadll.exe
1392	deltadll.exe
4480	deltadll.exe
2516	deltadll.exe
3872	deltadll.exe
2312	deltadll.exe
1396	deltadll.exe
2376	deltadll.exe
2836	deltadll.exe
1580	deltadll.exe
2444	deltadll.exe

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	deltadll.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	Comet.exe
Token: SeDebugPrivilege	1092	Comet.exe
Token: SeDebugPrivilege	2940	deltadll.exe
Token: SeDebugPrivilege	1908	deltadll.exe
Token: SeDebugPrivilege	1164	Comet.exe
Token: SeDebugPrivilege	1676	deltadll.exe
Token: SeDebugPrivilege	4912	Comet.exe
Token: SeDebugPrivilege	1884	deltadll.exe
Token: SeDebugPrivilege	4876	Comet.exe
Token: SeDebugPrivilege	4400	deltadll.exe
Token: SeDebugPrivilege	2128	Comet.exe
Token: SeDebugPrivilege	3968	deltadll.exe
Token: SeDebugPrivilege	3888	Comet.exe
Token: SeDebugPrivilege	3436	deltadll.exe
Token: SeDebugPrivilege	644	Comet.exe
Token: SeDebugPrivilege	920	deltadll.exe
Token: SeDebugPrivilege	1092	Comet.exe
Token: SeDebugPrivilege	2604	deltadll.exe
Token: SeDebugPrivilege	4440	Comet.exe
Token: SeDebugPrivilege	2920	deltadll.exe
Token: SeDebugPrivilege	516	Comet.exe
Token: SeDebugPrivilege	1400	deltadll.exe
Token: SeDebugPrivilege	4584	Comet.exe
Token: SeDebugPrivilege	4276	deltadll.exe
Token: SeDebugPrivilege	2860	Comet.exe
Token: SeDebugPrivilege	1736	deltadll.exe
Token: SeDebugPrivilege	3588	Comet.exe
Token: SeDebugPrivilege	368	deltadll.exe
Token: SeDebugPrivilege	1464	Comet.exe
Token: SeDebugPrivilege	2460	deltadll.exe
Token: SeDebugPrivilege	4004	Comet.exe
Token: SeDebugPrivilege	4304	deltadll.exe
Token: SeDebugPrivilege	2604	Comet.exe
Token: SeDebugPrivilege	4916	deltadll.exe
Token: SeDebugPrivilege	1048	Comet.exe
Token: SeDebugPrivilege	3076	deltadll.exe
Token: SeDebugPrivilege	4300	Comet.exe
Token: SeDebugPrivilege	1880	deltadll.exe
Token: SeDebugPrivilege	8	Comet.exe
Token: SeDebugPrivilege	4628	deltadll.exe
Token: SeDebugPrivilege	704	Comet.exe
Token: SeDebugPrivilege	1364	deltadll.exe
Token: SeDebugPrivilege	680	Comet.exe
Token: SeDebugPrivilege	4484	deltadll.exe
Token: SeDebugPrivilege	836	Comet.exe
Token: SeDebugPrivilege	1756	deltadll.exe
Token: SeDebugPrivilege	3344	Comet.exe
Token: SeDebugPrivilege	1508	deltadll.exe
Token: SeDebugPrivilege	400	Comet.exe
Token: SeDebugPrivilege	4196	deltadll.exe
Token: SeDebugPrivilege	1048	Comet.exe
Token: SeDebugPrivilege	5112	deltadll.exe
Token: SeDebugPrivilege	4928	Comet.exe
Token: SeDebugPrivilege	868	deltadll.exe
Token: SeDebugPrivilege	2712	Comet.exe
Token: SeDebugPrivilege	1416	deltadll.exe
Token: SeDebugPrivilege	1460	Comet.exe
Token: SeDebugPrivilege	4516	deltadll.exe
Token: SeDebugPrivilege	3652	Comet.exe
Token: SeDebugPrivilege	1940	deltadll.exe
Token: SeDebugPrivilege	3956	Comet.exe
Token: SeDebugPrivilege	1260	deltadll.exe
Token: SeDebugPrivilege	2452	Comet.exe
Token: SeDebugPrivilege	4492	deltadll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1092	2584	Comet.exe	87
PID 2584 wrote to memory of 1092	2584	Comet.exe	87
PID 2584 wrote to memory of 2940	2584	Comet.exe	88
PID 2584 wrote to memory of 2940	2584	Comet.exe	88
PID 2940 wrote to memory of 3588	2940	deltadll.exe	93
PID 2940 wrote to memory of 3588	2940	deltadll.exe	93
PID 1092 wrote to memory of 1164	1092	Comet.exe	94
PID 1092 wrote to memory of 1164	1092	Comet.exe	94
PID 1092 wrote to memory of 1908	1092	Comet.exe	96
PID 1092 wrote to memory of 1908	1092	Comet.exe	96
PID 1908 wrote to memory of 3168	1908	deltadll.exe	98
PID 1908 wrote to memory of 3168	1908	deltadll.exe	98
PID 1164 wrote to memory of 4912	1164	Comet.exe	103
PID 1164 wrote to memory of 4912	1164	Comet.exe	103
PID 1164 wrote to memory of 1676	1164	Comet.exe	104
PID 1164 wrote to memory of 1676	1164	Comet.exe	104
PID 1676 wrote to memory of 3756	1676	deltadll.exe	106
PID 1676 wrote to memory of 3756	1676	deltadll.exe	106
PID 4912 wrote to memory of 4876	4912	Comet.exe	108
PID 4912 wrote to memory of 4876	4912	Comet.exe	108
PID 4912 wrote to memory of 1884	4912	Comet.exe	109
PID 4912 wrote to memory of 1884	4912	Comet.exe	109
PID 1884 wrote to memory of 1992	1884	deltadll.exe	111
PID 1884 wrote to memory of 1992	1884	deltadll.exe	111
PID 4876 wrote to memory of 2128	4876	Comet.exe	113
PID 4876 wrote to memory of 2128	4876	Comet.exe	113
PID 4876 wrote to memory of 4400	4876	Comet.exe	114
PID 4876 wrote to memory of 4400	4876	Comet.exe	114
PID 4400 wrote to memory of 4556	4400	deltadll.exe	116
PID 4400 wrote to memory of 4556	4400	deltadll.exe	116
PID 2128 wrote to memory of 3888	2128	Comet.exe	118
PID 2128 wrote to memory of 3888	2128	Comet.exe	118
PID 2128 wrote to memory of 3968	2128	Comet.exe	119
PID 2128 wrote to memory of 3968	2128	Comet.exe	119
PID 3968 wrote to memory of 740	3968	deltadll.exe	121
PID 3968 wrote to memory of 740	3968	deltadll.exe	121
PID 3888 wrote to memory of 644	3888	Comet.exe	123
PID 3888 wrote to memory of 644	3888	Comet.exe	123
PID 3888 wrote to memory of 3436	3888	Comet.exe	124
PID 3888 wrote to memory of 3436	3888	Comet.exe	124
PID 3436 wrote to memory of 1724	3436	deltadll.exe	126
PID 3436 wrote to memory of 1724	3436	deltadll.exe	126
PID 644 wrote to memory of 1092	644	Comet.exe	128
PID 644 wrote to memory of 1092	644	Comet.exe	128
PID 644 wrote to memory of 920	644	Comet.exe	129
PID 644 wrote to memory of 920	644	Comet.exe	129
PID 920 wrote to memory of 2636	920	deltadll.exe	131
PID 920 wrote to memory of 2636	920	deltadll.exe	131
PID 1092 wrote to memory of 4440	1092	Comet.exe	133
PID 1092 wrote to memory of 4440	1092	Comet.exe	133
PID 1092 wrote to memory of 2604	1092	Comet.exe	134
PID 1092 wrote to memory of 2604	1092	Comet.exe	134
PID 2604 wrote to memory of 2368	2604	deltadll.exe	136
PID 2604 wrote to memory of 2368	2604	deltadll.exe	136
PID 4440 wrote to memory of 516	4440	Comet.exe	138
PID 4440 wrote to memory of 516	4440	Comet.exe	138
PID 4440 wrote to memory of 2920	4440	Comet.exe	139
PID 4440 wrote to memory of 2920	4440	Comet.exe	139
PID 2920 wrote to memory of 2932	2920	deltadll.exe	141
PID 2920 wrote to memory of 2932	2920	deltadll.exe	141
PID 516 wrote to memory of 4584	516	Comet.exe	143
PID 516 wrote to memory of 4584	516	Comet.exe	143
PID 516 wrote to memory of 1400	516	Comet.exe	144
PID 516 wrote to memory of 1400	516	Comet.exe	144

Views/modifies file attributes 1 TTPs 61 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1992	attrib.exe
2616	attrib.exe
4116	attrib.exe
4768	attrib.exe
3924	attrib.exe
1724	attrib.exe
5068	attrib.exe
2712	attrib.exe
2508	attrib.exe
2996	attrib.exe
4868	attrib.exe
3552	attrib.exe
3508	attrib.exe
1988	attrib.exe
2932	attrib.exe
4368	attrib.exe
1156	attrib.exe
2516	attrib.exe
3168	attrib.exe
1992	attrib.exe
4940	attrib.exe
3012	attrib.exe
2376	attrib.exe
740	attrib.exe
3956	attrib.exe
1724	attrib.exe
5028	attrib.exe
2656	attrib.exe
780	attrib.exe
5068	attrib.exe
1200	attrib.exe
3272	attrib.exe
2588	attrib.exe
4932	attrib.exe
3588	attrib.exe
4556	attrib.exe
4868	attrib.exe
1980	attrib.exe
4740	attrib.exe
2368	attrib.exe
4156	attrib.exe
2636	attrib.exe
3188	attrib.exe
1972	attrib.exe
5056	attrib.exe
388	attrib.exe
4196	attrib.exe
1700	attrib.exe
2760	attrib.exe
1152	attrib.exe
3536	attrib.exe
4196	attrib.exe
3984	attrib.exe
2684	attrib.exe
3616	attrib.exe
4444	attrib.exe
4548	attrib.exe
3756	attrib.exe
1620	attrib.exe
2312	attrib.exe
2856	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        22⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        24⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        26⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        28⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        29⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        30⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        32⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        33⤵
        Checks computer location settings
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        34⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        35⤵
        Checks computer location settings
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        36⤵
        Checks computer location settings
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        37⤵
        Checks computer location settings
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        38⤵
        Checks computer location settings
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        39⤵
        Checks computer location settings
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        40⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        41⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        42⤵
        Checks computer location settings
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        43⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        44⤵
        Checks computer location settings
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        45⤵
        Checks computer location settings
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        46⤵
        Checks computer location settings
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        47⤵
        Checks computer location settings
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        48⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        49⤵
        Checks computer location settings
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        50⤵
        Checks computer location settings
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        51⤵
        Checks computer location settings
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        52⤵
        Checks computer location settings
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        53⤵
        Checks computer location settings
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        54⤵
        Checks computer location settings
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        55⤵
        Checks computer location settings
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        56⤵
        Checks computer location settings
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        57⤵
        Checks computer location settings
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        58⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        59⤵
        Checks computer location settings
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        60⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        61⤵
        Checks computer location settings
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        62⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        63⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        62⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2444
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        63⤵
        Views/modifies file attributes
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        61⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1580
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        62⤵
        Views/modifies file attributes
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2836
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        61⤵
        Views/modifies file attributes
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2376
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        60⤵
        Views/modifies file attributes
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1396
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        59⤵
        Views/modifies file attributes
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        57⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        58⤵
        Views/modifies file attributes
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3872
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        57⤵
        Views/modifies file attributes
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        56⤵
        Views/modifies file attributes
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4480
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        55⤵
        Views/modifies file attributes
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        53⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1392
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        54⤵
        Views/modifies file attributes
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:868
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        53⤵
        Views/modifies file attributes
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4344
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        52⤵
        Views/modifies file attributes
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4460
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        51⤵
        Views/modifies file attributes
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1980
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        50⤵
        Views/modifies file attributes
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1220
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        49⤵
        Views/modifies file attributes
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4412
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        48⤵
        Views/modifies file attributes
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:888
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        47⤵
        Views/modifies file attributes
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        45⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1352
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        46⤵
        Views/modifies file attributes
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        45⤵
        Views/modifies file attributes
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        44⤵
        Views/modifies file attributes
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        42⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        43⤵
        Views/modifies file attributes
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3076
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        42⤵
        Views/modifies file attributes
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        40⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2656
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        41⤵
        Views/modifies file attributes
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        39⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4812
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        40⤵
        Views/modifies file attributes
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1460
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        39⤵
        Views/modifies file attributes
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4932
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        38⤵
        Views/modifies file attributes
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1352
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        37⤵
        Views/modifies file attributes
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        35⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        36⤵
        Views/modifies file attributes
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        35⤵
        Views/modifies file attributes
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        34⤵
        Views/modifies file attributes
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        33⤵
        Views/modifies file attributes
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        32⤵
        Views/modifies file attributes
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        31⤵
        Views/modifies file attributes
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        30⤵
        Views/modifies file attributes
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        29⤵
        Views/modifies file attributes
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        28⤵
        Views/modifies file attributes
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        27⤵
        Views/modifies file attributes
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        26⤵
        Views/modifies file attributes
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        25⤵
        Views/modifies file attributes
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        24⤵
        Views/modifies file attributes
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        23⤵
        Views/modifies file attributes
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        22⤵
        Views/modifies file attributes
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        21⤵
        Views/modifies file attributes
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        20⤵
        Views/modifies file attributes
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        19⤵
        Views/modifies file attributes
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        18⤵
        Views/modifies file attributes
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        17⤵
        Views/modifies file attributes
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        16⤵
        Views/modifies file attributes
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        15⤵
        Views/modifies file attributes
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        14⤵
        Views/modifies file attributes
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        13⤵
        Views/modifies file attributes
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        12⤵
        Views/modifies file attributes
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        11⤵
        Views/modifies file attributes
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        10⤵
        Views/modifies file attributes
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        9⤵
        Views/modifies file attributes
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        8⤵
        Views/modifies file attributes
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        7⤵
        Views/modifies file attributes
        
        PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        6⤵
        Views/modifies file attributes
        
        PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
        5⤵
        Views/modifies file attributes
        
        PID:3756
- - C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
      4⤵
      Views/modifies file attributes
      PID:3168
- C:\Users\Admin\AppData\Local\Temp\deltadll.exe
  "C:\Users\Admin\AppData\Local\Temp\deltadll.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\deltadll.exe
    3⤵
    - Views/modifies file attributes
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comet.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\deltadll.exe

Filesize
14.8MB

MD5
19c446f51d203d1fb7eb23210709417b

SHA1
6e33b8d13d1539630615e581e5ab03de371c0dc6

SHA256
b67cae29bac60920b3edc02081da697c4c6486411c1bc77f29b68cb1f23e3ffc

SHA512
9d8601a0c2e090cd5fc6315c1671d669cd6a6bf20d3ef24cb1a111e344464913fe809c9b27d32608b93b988a37e59c90086ccf68545ce385ef58f96365a439df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
12.5MB

MD5
4de148ed89158e9b4a562ec900794507

SHA1
aa37c408f97b128c4fa152a427bd37a8bc4d54c5

SHA256
4270aada868ba063a0c80023936de560f6ac98f69efaec8791f019f5ebc32010

SHA512
0c2d595b382e63ff4fc672ec746ed5f80a9a6209e231fc5a213395a6ce3019645f3da7e85365524189ef4e19c7167e5a10cbc835b2a3dc84310d8ad80526f7e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
2.0MB

MD5
708b2ee02ccdc43c2229674f3e929274

SHA1
d22d290cef5574c679a91e2299ddb30ed1b01500

SHA256
5604d10a21bd6a0816117b41ebd8823a947d447ef428f9675ec787174c82cc65

SHA512
c96e8840ddc3aedd32fcabd20057ffbedd46feea921e6ff9eeceb753b3b727223b0843eceddd6d7f645f8cb0a449b971ebc1cc7667e3ae4dc6d2229ae1e96210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
10.2MB

MD5
348f32872d25edc5435129fa496f5288

SHA1
b1e6d315c51e285329e8afa7f8981a10adb8802d

SHA256
c5f33e699dddeaf0dd04dd957c29b3e025bea00911f62667093ac3d044e53341

SHA512
0f299f4bc0a65551175623014c4917743d9155dfe998f316e1ee5b58ccdf084cfb0b9a0ff127847dfa21b6dbc3cbcb37e9929b28dd92262e7780a02405034f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
1.2MB

MD5
6906a0e258217ff6b208c2c051e9f1e3

SHA1
f02ab6bfc45712080b0d77b631e3e9d9a17d0168

SHA256
68bb4567fe157fd3a1dd7b244e13a446b460d118a010f9a82a2ec42a406e156f

SHA512
d5e2a9cdf0b0fde322448c21a13659ccc1a3d136e6c8a0fd8406aa781ab8d0264f1a25df0796948d338ca628cddd95698872f981c535b9e255682ea69016f4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
12.7MB

MD5
a8a16d4638902b86304c7bf49142dfb7

SHA1
1e2266607ad0654ff510f5cc003bd5a93ee92648

SHA256
c66fcfd216ce265c62ecd6e94e5ce2b85826758bbb8cc95dec558512201bdb63

SHA512
7d947f4bf835a08acc8129f2bb5fd836f6c9077a15c09a4b04efeb0b6101fdd843b7bdf9c3ac261a150d7f142a3580650a00740da2fa1f747946243a82ec4d12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
8.4MB

MD5
6c1228c0bdec9a08ac0107639126d646

SHA1
6e3c8d50bdd20f8ea03e97d4dc7af28388403253

SHA256
705370216a306772aece2082cf007dd249e6d583ea0800d17878a65b3a6f98fe

SHA512
aa4e7a1b2adbe61d94a177f83dbf5c9b2c52468f12b721933ee30138c199baaf0d50c9bc781d35f26320c6db37a2bf29a5b7388c34df32eb559110523b1c5b36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Filesize
14.0MB

MD5
d244404b540d4bd9f3a686b53978d6db

SHA1
8862b51286554a14d2fe6152d4a1eb02ba194d0c

SHA256
4f366a0ae5ba174b825a48db94ddeafba988148cebf87d5acaf70cc57faeda11

SHA512
6f6e388592a1819eafcdd17c9730a6b80cd587a8cd7330dcb763f9f9e9d94a55978f442c2db63a264e3ffc85b14fba185d86f00e3405e23123152a58345b44eb

Download Submit
memory/644-35-0x000000001E010000-0x000000001E112000-memory.dmp

Filesize
1.0MB

Download
memory/1092-3-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-17-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-13-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1092-38-0x000000001D6E0000-0x000000001D7E2000-memory.dmp

Filesize
1.0MB

Download
memory/1164-20-0x000000001E090000-0x000000001E192000-memory.dmp

Filesize
1.0MB

Download
memory/2128-29-0x000000001DE90000-0x000000001DF92000-memory.dmp

Filesize
1.0MB

Download
memory/2584-12-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-0-0x00007FF909133000-0x00007FF909135000-memory.dmp

Filesize
8KB

Download
memory/2584-2-0x00007FF909130000-0x00007FF909BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2584-1-0x0000000000F50000-0x00000000017FA000-memory.dmp

Filesize
8.7MB

Download
memory/3888-32-0x000000001E4A0000-0x000000001E5A2000-memory.dmp

Filesize
1.0MB

Download
memory/4440-41-0x000000001E060000-0x000000001E162000-memory.dmp

Filesize
1.0MB

Download
memory/4876-26-0x000000001E730000-0x000000001E832000-memory.dmp

Filesize
1.0MB

Download
memory/4912-23-0x000000001E0D0000-0x000000001E1D2000-memory.dmp

Filesize
1.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads