Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-01-2025 01:13
General
-
Target
JaffaCakes118_0116355fef779b9ff6c2553ae538f8b6.exe
-
Size
253KB
-
MD5
0116355fef779b9ff6c2553ae538f8b6
-
SHA1
ce6f1dfc7aa83497e45cdfc26d5a53594f9353e8
-
SHA256
3a8eef90ee3f5f87fba7b61972096d027d144379e96a40f73ec322d4f12e1e17
-
SHA512
fbb732a10898ceceeca076409e6c97240f527dc8206923d86dcac739aaa482baf72f45e1cd0b9c6bf5af255c873ceaba5f87c1f7fd7f322ccd9acc7283b8d062
-
SSDEEP
6144:mD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ:ml8E4w5huat7UovONzbXw
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
c1yd3i.zapto.org:1604
Mutex
DC_MUTEX-SQ8N0XU
Attributes
-
InstallPath
windupdate\winupdate.exe
-
gencode
Qfgi9EwBLWlj
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Sets file to hidden 1 TTPs 46 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 24 IoCs
-
Drops file in System32 directory 64 IoCs
-
UPX packed file 46 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0116355fef779b9ff6c2553ae538f8b6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0116355fef779b9ff6c2553ae538f8b6.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0116355fef779b9ff6c2553ae538f8b6.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0116355fef779b9ff6c2553ae538f8b6.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\winupdate.exe"C:\Windows\system32\windupdate\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\winupdate.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h6⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h7⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h8⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h9⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h9⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h10⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h11⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h10⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h11⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h11⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h12⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h12⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h13⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h13⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h14⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h14⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h15⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h16⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h15⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h16⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h17⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h16⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h17⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h17⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h18⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h17⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h18⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h18⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h19⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h19⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h19⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h20⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h19⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h20⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h20⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h21⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h20⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h21⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h21⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h22⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h23⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h22⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe" +s +h24⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h23⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj" +s +h24⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\winupdate.exe"23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h24⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\winupdate.exe" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h24⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj" +s +h25⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"C:\Windows\system32\windupdate\Qfgi9EwBLWlj\Qfgi9EwBLWlj\winupdate.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD50116355fef779b9ff6c2553ae538f8b6
SHA1ce6f1dfc7aa83497e45cdfc26d5a53594f9353e8
SHA2563a8eef90ee3f5f87fba7b61972096d027d144379e96a40f73ec322d4f12e1e17
SHA512fbb732a10898ceceeca076409e6c97240f527dc8206923d86dcac739aaa482baf72f45e1cd0b9c6bf5af255c873ceaba5f87c1f7fd7f322ccd9acc7283b8d062
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
4KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
1000KB
-
Filesize
1.1MB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
12KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB
-
Filesize
748KB