darkcomet | a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

Analysis

max time kernel
209s
max time network
76s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Size

1.1MB
MD5

a1125ba46c4a93d34420370e615f5ec4
SHA1

453bbb23777e918ec060ec5b67a1a868d6c11792
SHA256

a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf
SHA512

37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50
SSDEEP

24576:vUD3WVqWznA1ICUKy2t0ZeOZ73oGO/bDZE1tcsRR1:emMWznA1GKy2mkOZ74p//ZETRR1

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Executes dropped EXE 8 IoCs

pid	Process
1968	winupdate.exe
844	winupdate.exe
1496	winupdate.exe
856	winupdate.exe
1372	winupdate.exe
1956	winupdate.exe
1884	winupdate.exe
1544	winupdate.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/964-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-59-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-64-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/964-76-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1564-87-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1564-88-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1564-89-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-105-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-110-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-111-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-115-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-116-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/844-130-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/856-149-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/856-156-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/856-159-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-165-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-167-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-171-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/856-177-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1996-186-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1956-215-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/568-245-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1808-261-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1564-262-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Loads dropped DLL 29 IoCs

pid	Process
964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
1968	winupdate.exe
1968	winupdate.exe
1968	winupdate.exe
1968	winupdate.exe
844	winupdate.exe
844	winupdate.exe
844	winupdate.exe
844	winupdate.exe
1496	winupdate.exe
1496	winupdate.exe
1496	winupdate.exe
1496	winupdate.exe
856	winupdate.exe
856	winupdate.exe
856	winupdate.exe
856	winupdate.exe
1372	winupdate.exe
1372	winupdate.exe
1372	winupdate.exe
1372	winupdate.exe
1956	winupdate.exe
1956	winupdate.exe
1956	winupdate.exe
1956	winupdate.exe
1884	winupdate.exe
1884	winupdate.exe
1884	winupdate.exe
1884	winupdate.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 964 set thread context of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 1340 set thread context of 1564	1340	explorer.exe	30
PID 1968 set thread context of 844	1968	winupdate.exe	31
PID 844 set thread context of 1928	844	winupdate.exe	32
PID 1496 set thread context of 856	1496	winupdate.exe	34
PID 1928 set thread context of 1996	1928	explorer.exe	35
PID 856 set thread context of 1616	856	winupdate.exe	36
PID 1372 set thread context of 1956	1372	winupdate.exe	38
PID 1956 set thread context of 1196	1956	winupdate.exe	39
PID 1196 set thread context of 568	1196	explorer.exe	41
PID 1884 set thread context of 1544	1884	winupdate.exe	42
PID 1616 set thread context of 1808	1616	explorer.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeSecurityPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeTakeOwnershipPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeLoadDriverPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeSystemProfilePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeSystemtimePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeProfSingleProcessPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeIncBasePriorityPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeCreatePagefilePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeBackupPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeRestorePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeShutdownPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeDebugPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeSystemEnvironmentPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeChangeNotifyPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeRemoteShutdownPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeUndockPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeManageVolumePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeImpersonatePrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeCreateGlobalPrivilege	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: 33	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: 34	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: 35	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
Token: SeIncreaseQuotaPrivilege	1564	explorer.exe
Token: SeSecurityPrivilege	1564	explorer.exe
Token: SeTakeOwnershipPrivilege	1564	explorer.exe
Token: SeLoadDriverPrivilege	1564	explorer.exe
Token: SeSystemProfilePrivilege	1564	explorer.exe
Token: SeSystemtimePrivilege	1564	explorer.exe
Token: SeProfSingleProcessPrivilege	1564	explorer.exe
Token: SeIncBasePriorityPrivilege	1564	explorer.exe
Token: SeCreatePagefilePrivilege	1564	explorer.exe
Token: SeBackupPrivilege	1564	explorer.exe
Token: SeRestorePrivilege	1564	explorer.exe
Token: SeShutdownPrivilege	1564	explorer.exe
Token: SeDebugPrivilege	1564	explorer.exe
Token: SeSystemEnvironmentPrivilege	1564	explorer.exe
Token: SeChangeNotifyPrivilege	1564	explorer.exe
Token: SeRemoteShutdownPrivilege	1564	explorer.exe
Token: SeUndockPrivilege	1564	explorer.exe
Token: SeManageVolumePrivilege	1564	explorer.exe
Token: SeImpersonatePrivilege	1564	explorer.exe
Token: SeCreateGlobalPrivilege	1564	explorer.exe
Token: 33	1564	explorer.exe
Token: 34	1564	explorer.exe
Token: 35	1564	explorer.exe
Token: SeIncreaseQuotaPrivilege	844	winupdate.exe
Token: SeSecurityPrivilege	844	winupdate.exe
Token: SeTakeOwnershipPrivilege	844	winupdate.exe
Token: SeLoadDriverPrivilege	844	winupdate.exe
Token: SeSystemProfilePrivilege	844	winupdate.exe
Token: SeSystemtimePrivilege	844	winupdate.exe
Token: SeProfSingleProcessPrivilege	844	winupdate.exe
Token: SeIncBasePriorityPrivilege	844	winupdate.exe
Token: SeCreatePagefilePrivilege	844	winupdate.exe
Token: SeBackupPrivilege	844	winupdate.exe
Token: SeRestorePrivilege	844	winupdate.exe
Token: SeShutdownPrivilege	844	winupdate.exe
Token: SeDebugPrivilege	844	winupdate.exe
Token: SeSystemEnvironmentPrivilege	844	winupdate.exe
Token: SeChangeNotifyPrivilege	844	winupdate.exe
Token: SeRemoteShutdownPrivilege	844	winupdate.exe
Token: SeUndockPrivilege	844	winupdate.exe
Token: SeManageVolumePrivilege	844	winupdate.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
1340	explorer.exe
1564	explorer.exe
1968	winupdate.exe
1496	winupdate.exe
1928	explorer.exe
1372	winupdate.exe
1196	explorer.exe
1616	explorer.exe
1884	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 1488 wrote to memory of 964	1488	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	27
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1340	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	28
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 964 wrote to memory of 1968	964	a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe	29
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1340 wrote to memory of 1564	1340	explorer.exe	30
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 1968 wrote to memory of 844	1968	winupdate.exe	31
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1928	844	winupdate.exe	32
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 844 wrote to memory of 1496	844	winupdate.exe	33
PID 1496 wrote to memory of 856	1496	winupdate.exe	34
PID 1496 wrote to memory of 856	1496	winupdate.exe	34
PID 1496 wrote to memory of 856	1496	winupdate.exe	34
PID 1496 wrote to memory of 856	1496	winupdate.exe	34
PID 1496 wrote to memory of 856	1496	winupdate.exe	34

C:\Users\Admin\AppData\Local\Temp\a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
"C:\Users\Admin\AppData\Local\Temp\a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe
  "C:\Users\Admin\AppData\Local\Temp\a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Checks BIOS information in registry
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1564
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Checks BIOS information in registry
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1928
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Checks BIOS information in registry
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1996
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:856
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        8⤵
        Checks BIOS information in registry
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1808
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1956
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        10⤵
        Checks BIOS information in registry
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:568
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        10⤵
        Executes dropped EXE
        
        PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
1.1MB

MD5
a1125ba46c4a93d34420370e615f5ec4

SHA1
453bbb23777e918ec060ec5b67a1a868d6c11792

SHA256
a773504c2d6b43a8487bae5e03a25da29edb50d8a5b37d65b62b9671ce744adf

SHA512
37ec170cfb8a0b64d845a92f586cba0892cfc7f0e859358115f931cc1fa6216a45300c974a783c9afbec870caf771e2fbc9b7e954d054e31b370554bc9a77f50

Download Submit
memory/568-245-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-105-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-112-0x0000000000BA0000-0x0000000001042000-memory.dmp

Filesize
4.6MB

Download
memory/844-113-0x0000000000BA0000-0x0000000001042000-memory.dmp

Filesize
4.6MB

Download
memory/844-115-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-116-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-114-0x0000000000BA0000-0x0000000001042000-memory.dmp

Filesize
4.6MB

Download
memory/844-111-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-110-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/844-130-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/856-149-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/856-159-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/856-177-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/856-263-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/856-173-0x0000000000B60000-0x0000000001002000-memory.dmp

Filesize
4.6MB

Download
memory/856-156-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-59-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-76-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/964-61-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1196-236-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-77-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-74-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-81-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-85-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-66-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1340-68-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1372-196-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1372-195-0x00000000011C0000-0x0000000001662000-memory.dmp

Filesize
4.6MB

Download
memory/1372-264-0x00000000011C0000-0x0000000001662000-memory.dmp

Filesize
4.6MB

Download
memory/1372-192-0x00000000011C0000-0x0000000001662000-memory.dmp

Filesize
4.6MB

Download
memory/1372-190-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1372-188-0x0000000002E90000-0x0000000003332000-memory.dmp

Filesize
4.6MB

Download
memory/1488-56-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1488-60-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1496-138-0x0000000000D30000-0x00000000011D2000-memory.dmp

Filesize
4.6MB

Download
memory/1496-151-0x0000000002E90000-0x0000000003332000-memory.dmp

Filesize
4.6MB

Download
memory/1496-150-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1496-140-0x0000000000D30000-0x00000000011D2000-memory.dmp

Filesize
4.6MB

Download
memory/1496-139-0x0000000000D30000-0x00000000011D2000-memory.dmp

Filesize
4.6MB

Download
memory/1496-137-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1564-87-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1564-262-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1564-88-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1564-89-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1616-251-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1616-231-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1808-261-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1884-240-0x0000000000F40000-0x00000000013E2000-memory.dmp

Filesize
4.6MB

Download
memory/1884-242-0x0000000000F40000-0x00000000013E2000-memory.dmp

Filesize
4.6MB

Download
memory/1884-260-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1884-238-0x0000000000F40000-0x00000000013E2000-memory.dmp

Filesize
4.6MB

Download
memory/1884-232-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1928-163-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1928-135-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1928-136-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1956-212-0x0000000000D40000-0x00000000011E2000-memory.dmp

Filesize
4.6MB

Download
memory/1956-215-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1956-265-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1968-96-0x0000000000FD0000-0x0000000001472000-memory.dmp

Filesize
4.6MB

Download
memory/1968-97-0x0000000000FD0000-0x0000000001472000-memory.dmp

Filesize
4.6MB

Download
memory/1968-103-0x0000000000400000-0x00000000008A2000-memory.dmp

Filesize
4.6MB

Download
memory/1968-95-0x0000000000FD0000-0x0000000001472000-memory.dmp

Filesize
4.6MB

Download
memory/1996-186-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-165-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-167-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1996-171-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads