Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-01-2025 00:14
General
-
Target
JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe
-
Size
732KB
-
MD5
7682d779384e5c5709d9ccc83b72fec0
-
SHA1
bf69afeb2a0ff053e3edde6bd0f518c90aac8b81
-
SHA256
4e8e573ab9db7a19486e141024cd14b4fe31d23118a0eac3cb5e9454fe629422
-
SHA512
296f040d21a95b349132d829d71128071a79f815f3a8a1209b72a5c72b95effa50538ddb9c4e936a3afa63a3e02562552dd660a7b5bdd6bcf0ade005133ed0b2
-
SSDEEP
12288:mUmupRD3yrzSjMfZm1xqNCZbFaecjB4Bq0tqwGgZc0+dHLIpew8sO/KSii/qNk9T:lrDirzSQs1xpbc+5t5X9Ow8sPTi
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Office
C2
tekarzum.no-ip.biz:1604
Mutex
DC_MUTEX-NNLE62S
Attributes
-
InstallPath
Winupdate\winupdate.exe
-
gencode
rVeqxqv363Vq
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Winupdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 48 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 23 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 46 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 24 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 23 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7682d779384e5c5709d9ccc83b72fec0.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc6⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc8⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc8⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc10⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad9⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc12⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe10⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h12⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad11⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc14⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h14⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad13⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc14⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc16⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe14⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h16⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h16⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad15⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc16⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc17⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc18⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe16⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h18⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad17⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc18⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc19⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc20⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad19⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc21⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc22⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe20⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h22⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad21⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc22⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc24⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe22⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h23⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h24⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad23⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc24⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc25⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc26⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h25⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h26⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h25⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h26⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc26⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc27⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc28⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe26⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h28⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h27⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h28⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad27⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc28⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc29⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc30⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe28⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h29⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h30⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h29⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h30⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad29⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc30⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc31⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc32⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h31⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h32⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h31⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h32⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad31⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc32⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc34⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h33⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h34⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h33⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h34⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad33⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc34⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc35⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc36⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe34⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h35⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h36⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h35⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h36⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad35⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc36⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc38⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h37⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h37⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad37⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc38⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc39⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc40⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe38⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h40⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h39⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h40⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad39⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc40⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc41⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc42⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe40⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h42⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h41⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h42⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad41⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc42⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc44⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe42⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h43⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h44⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h43⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h44⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad43⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc44⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc45⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc46⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe44⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq\winupdate.exe" +s +h46⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h45⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\rVeqxqv363Vq" +s +h46⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad45⤵
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exe"C:\Windows\system32\Winupdate\winupdate.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc46⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc47⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc48⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\Winupdate\winupdate.exeC:\Windows\SysWOW64\Winupdate\winupdate.exe46⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\winupdate.exe" +s +h48⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate" +s +h47⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate" +s +h48⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad47⤵
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe"C:\Windows\system32\Winupdate\rVeqxqv363Vq\winupdate.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c net stop MpsSvc48⤵
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc49⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc50⤵
-
-
-
-
C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exeC:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq\winupdate.exe" +s +h50⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h49⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Winupdate\rVeqxqv363Vq" +s +h50⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad49⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
732KB
MD57682d779384e5c5709d9ccc83b72fec0
SHA1bf69afeb2a0ff053e3edde6bd0f518c90aac8b81
SHA2564e8e573ab9db7a19486e141024cd14b4fe31d23118a0eac3cb5e9454fe629422
SHA512296f040d21a95b349132d829d71128071a79f815f3a8a1209b72a5c72b95effa50538ddb9c4e936a3afa63a3e02562552dd660a7b5bdd6bcf0ade005133ed0b2
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
4KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
724KB
-
Filesize
24KB