Analysis
-
max time kernel
115s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
21/03/2025, 21:17
General
-
Target
JaffaCakes118_84c7d8597e548caeb258298376c27519.exe
-
Size
663KB
-
MD5
84c7d8597e548caeb258298376c27519
-
SHA1
b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c
-
SHA256
fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac
-
SHA512
54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022
-
SSDEEP
12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
sbs
C2
127.0.0.1:21
Mutex
DC_MUTEX-D77XKZP
Attributes
-
InstallPath
Windupdt\winupdate.exe
-
gencode
cyolL=+r#6rV
-
install
true
-
offline_keylogger
true
-
password
never mind
-
persistence
true
-
reg_key
winupdater
rc4.plain
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"4⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"6⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"7⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"8⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"8⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"9⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"9⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"10⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"10⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"11⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"11⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"12⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"13⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "14⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"14⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"14⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "15⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"15⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"15⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "16⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"16⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"16⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"16⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "17⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"17⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"17⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"17⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "18⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"18⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"18⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"18⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "19⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"19⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"19⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"19⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "20⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"20⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"20⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"20⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "21⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"21⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"21⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"22⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"22⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"22⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "23⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"23⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"23⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"23⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "24⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"24⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"24⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"24⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "25⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"25⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"25⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"25⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "26⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"26⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"26⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"26⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "27⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"27⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"27⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"27⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "28⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"28⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"28⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"28⤵
- Checks BIOS information in registry
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "29⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"29⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"29⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"29⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "30⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"30⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"30⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"30⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "31⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"31⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"31⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"31⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "32⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"32⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"32⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"32⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "33⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"33⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"33⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"33⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "34⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"34⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"34⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"34⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "35⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"35⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"35⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"35⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "36⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"36⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"36⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"36⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "37⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"37⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"37⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"37⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "38⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"38⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"38⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"38⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "39⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"39⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"39⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"39⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "40⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"40⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"40⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"40⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "41⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"41⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"41⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"41⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "42⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"42⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"42⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"42⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "43⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"43⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"43⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"43⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "44⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"44⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"44⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"44⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "45⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"45⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"45⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"45⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "46⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"46⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"46⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"46⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "47⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"47⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"47⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"47⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "48⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"48⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"48⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"48⤵
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "49⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"49⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"49⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"49⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "50⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"50⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"50⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"50⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "51⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"51⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"51⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"51⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "52⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"52⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"52⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"52⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "53⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"53⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV154⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"53⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"53⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "54⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"54⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"54⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"54⤵
- Checks BIOS information in registry
- Checks computer location settings
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "55⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"55⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"55⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"55⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "56⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"56⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"56⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"56⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "57⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV158⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"57⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV158⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"57⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"57⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "58⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"58⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"58⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"58⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "59⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"59⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV160⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"59⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"59⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"60⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"60⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"60⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "61⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"61⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"61⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"61⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "62⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"62⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"62⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"62⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "63⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"63⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"63⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"63⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "64⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"64⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"64⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"64⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"65⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"65⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"65⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "66⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"66⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"66⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"66⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "67⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"67⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"67⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"67⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "68⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"68⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"68⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"68⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "69⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"69⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"69⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"69⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "70⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"70⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"70⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"70⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "71⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"71⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"71⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"71⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "72⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"72⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"72⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"72⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "73⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"73⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"73⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"73⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "74⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"74⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"74⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"74⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "75⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"75⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV176⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"75⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"75⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "76⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"76⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"76⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"76⤵
- Modifies WinLogon for persistence
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "77⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"77⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"77⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"77⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "78⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"78⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"78⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"78⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "79⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"79⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"79⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"79⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "80⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"80⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"80⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"80⤵
- Modifies WinLogon for persistence
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "81⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"81⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"81⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"81⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"82⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"82⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"82⤵
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "83⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"83⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"83⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"83⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "84⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"84⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"84⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"84⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "85⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"85⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV186⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"85⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"85⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "86⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"86⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"86⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"86⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "87⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"87⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"87⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"87⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "88⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"88⤵
- Adds Run key to start application
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"88⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"88⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "89⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"89⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"89⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"89⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "90⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"90⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"90⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"90⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "91⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"91⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"91⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"91⤵
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "92⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"92⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"92⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"92⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "93⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"93⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"93⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "94⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"94⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"94⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"94⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "95⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"95⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"95⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "96⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"96⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"96⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"96⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "97⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV198⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"97⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"97⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "98⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"98⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"98⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"98⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "99⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1100⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"99⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"99⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "100⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"100⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"100⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"100⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "101⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"101⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"101⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "102⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"102⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"102⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"102⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "103⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"103⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"103⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "104⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"104⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"104⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"104⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "105⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"105⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"105⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "106⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"106⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"106⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"106⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "107⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"107⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"107⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "108⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"108⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"108⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"108⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "109⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"109⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"109⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "110⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"110⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"110⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"110⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "111⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"111⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"111⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "112⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"112⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"112⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"112⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "113⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"113⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"113⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "114⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"114⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"114⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"114⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "115⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"115⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"115⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "116⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"116⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"116⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"116⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "117⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"117⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"117⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "118⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"118⤵
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"118⤵
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"118⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAT.BAT" "119⤵
-
-
C:\Users\Admin\AppData\Local\Temp\TOT.EXE"C:\Users\Admin\AppData\Local\Temp\TOT.EXE"119⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"118⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"117⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"116⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"115⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"114⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"113⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"112⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"111⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"110⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"109⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"108⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"107⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"106⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"105⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"104⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"103⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"102⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"101⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"100⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"99⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"98⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"97⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"96⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"95⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"94⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"93⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"92⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"91⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"90⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"89⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"88⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"87⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"86⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"85⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"84⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"83⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV184⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"82⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"81⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"80⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"79⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"78⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"77⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"76⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"75⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"74⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"73⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"72⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"71⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"70⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"69⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"68⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"67⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"66⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"65⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV166⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"64⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"63⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"62⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"61⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"60⤵
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"59⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"58⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"57⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"56⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"55⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"54⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"53⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"52⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"51⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"50⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"49⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"48⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"47⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV148⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"46⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"45⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"44⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"43⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"42⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"41⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"40⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"39⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV140⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"38⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"37⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"36⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"35⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"34⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"32⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"30⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"29⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"27⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"26⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
-
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"25⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"24⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"23⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"22⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"21⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"20⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"18⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"17⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"16⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"13⤵
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"12⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"10⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"9⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"8⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"7⤵
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"5⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c7d8597e548caeb258298376c27519.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247B
MD58cdbb527e8c2f50aadbc2fd59657a5f7
SHA1a6f18862015ef5a2f7426c364ded713346c75a83
SHA256ed1be1cff5f6f1119ca6695c72d2deb3f9c7fb04cebce8852e202ce54eff379e
SHA51240a6d335b4864b1dac303895e2c0f93d45be06e5457b94fca0d357265cd58efd38e220d7fa6054ca94eb89a3b214a2f104c77ff74644a54be3e1bf46c931a525
-
Filesize
27KB
MD5ddcde928805f0acae7491c46f791ebe0
SHA11af656bac2e38a54fbf9f4e8c250341fd7953fe0
SHA2569a1150347f1d9428c91130c2f77dbe4aeade037ed812d01b7669c53be09165f4
SHA512749e11dfbf1847a6035f0f3134aed3112c77add27b6cc06509cc930aa9bb2c05740a4a687c382ff30b3470b920404ad8a848165430aa7f92d01ad379713a0f69
-
Filesize
663KB
MD584c7d8597e548caeb258298376c27519
SHA1b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c
SHA256fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac
SHA51254666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022
-
Filesize
4KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
56KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
4KB