darkcomet | a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

Analysis

max time kernel
224s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Size

820KB
MD5

4408d904c304c3becc5b3f28b9fd2b62
SHA1

741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256

a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512

ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
SSDEEP

12288:xMrCcQ74kKTUtCkUAlnw8Do0WtJKQV5hcJzkOjsJ7KYk62c5iCCMDGBpU2Uq:684kbUAlnw8DoD2Q7LmT6LiCnGBpkq

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe

Executes dropped EXE 28 IoCs

pid	Process
1396	winupdate.exe
2036	winupdate.exe
1336	winupdate.exe
836	winupdate.exe
936	winupdate.exe
992	winupdate.exe
672	winupdate.exe
1740	winupdate.exe
1328	winupdate.exe
1100	winupdate.exe
1064	winupdate.exe
1136	winupdate.exe
1744	winupdate.exe
896	winupdate.exe
1276	winupdate.exe
1248	winupdate.exe
1964	winupdate.exe
1992	winupdate.exe
1608	winupdate.exe
188	winupdate.exe
1760	winupdate.exe
1040	winupdate.exe
1648	winupdate.exe
816	winupdate.exe
1092	winupdate.exe
1284	winupdate.exe
620	winupdate.exe
268	winupdate.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Deletes itself 1 IoCs

pid	Process
1448	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
1396	winupdate.exe
1396	winupdate.exe
1396	winupdate.exe
1396	winupdate.exe
2036	winupdate.exe
2036	winupdate.exe
2036	winupdate.exe
2036	winupdate.exe
1336	winupdate.exe
1336	winupdate.exe
1336	winupdate.exe
1336	winupdate.exe
836	winupdate.exe
836	winupdate.exe
836	winupdate.exe
836	winupdate.exe
936	winupdate.exe
936	winupdate.exe
936	winupdate.exe
936	winupdate.exe
992	winupdate.exe
992	winupdate.exe
992	winupdate.exe
992	winupdate.exe
672	winupdate.exe
672	winupdate.exe
672	winupdate.exe
672	winupdate.exe
1740	winupdate.exe
1740	winupdate.exe
1740	winupdate.exe
1740	winupdate.exe
1328	winupdate.exe
1328	winupdate.exe
1328	winupdate.exe
1328	winupdate.exe
1100	winupdate.exe
1100	winupdate.exe
1100	winupdate.exe
1100	winupdate.exe
1064	winupdate.exe
1064	winupdate.exe
1064	winupdate.exe
1064	winupdate.exe
1136	winupdate.exe
1136	winupdate.exe
1136	winupdate.exe
1136	winupdate.exe
1744	winupdate.exe
1744	winupdate.exe
1744	winupdate.exe
1744	winupdate.exe
896	winupdate.exe
896	winupdate.exe
896	winupdate.exe
896	winupdate.exe
1276	winupdate.exe
1276	winupdate.exe
1276	winupdate.exe
1276	winupdate.exe
1248	winupdate.exe
1248	winupdate.exe
1248	winupdate.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 564 set thread context of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 1396 set thread context of 2036	1396	winupdate.exe	34
PID 2036 set thread context of 1336	2036	winupdate.exe	35
PID 836 set thread context of 936	836	winupdate.exe	40
PID 672 set thread context of 1740	672	winupdate.exe	46
PID 1740 set thread context of 1328	1740	winupdate.exe	47
PID 1100 set thread context of 1064	1100	winupdate.exe	52
PID 1064 set thread context of 1136	1064	winupdate.exe	53
PID 1744 set thread context of 896	1744	winupdate.exe	58
PID 896 set thread context of 1276	896	winupdate.exe	59
PID 1248 set thread context of 1964	1248	winupdate.exe	64
PID 1964 set thread context of 1992	1964	winupdate.exe	65
PID 1608 set thread context of 188	1608	winupdate.exe	70
PID 188 set thread context of 1760	188	winupdate.exe	71
PID 1040 set thread context of 1648	1040	winupdate.exe	76
PID 1648 set thread context of 816	1648	winupdate.exe	77
PID 1092 set thread context of 1284	1092	winupdate.exe	82
PID 1284 set thread context of 620	1284	winupdate.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 40 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
1804	PING.EXE
1672	PING.EXE
1716	PING.EXE
1160	PING.EXE
668	PING.EXE
1316	PING.EXE
952	PING.EXE
1788	PING.EXE
876	PING.EXE
792	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeSecurityPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeTakeOwnershipPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeLoadDriverPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeSystemProfilePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeSystemtimePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeProfSingleProcessPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeIncBasePriorityPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeCreatePagefilePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeBackupPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeRestorePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeShutdownPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeDebugPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeSystemEnvironmentPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeChangeNotifyPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeRemoteShutdownPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeUndockPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeManageVolumePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeImpersonatePrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeCreateGlobalPrivilege	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: 33	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: 34	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: 35	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Token: SeIncreaseQuotaPrivilege	1336	winupdate.exe
Token: SeSecurityPrivilege	1336	winupdate.exe
Token: SeTakeOwnershipPrivilege	1336	winupdate.exe
Token: SeLoadDriverPrivilege	1336	winupdate.exe
Token: SeSystemProfilePrivilege	1336	winupdate.exe
Token: SeSystemtimePrivilege	1336	winupdate.exe
Token: SeProfSingleProcessPrivilege	1336	winupdate.exe
Token: SeIncBasePriorityPrivilege	1336	winupdate.exe
Token: SeCreatePagefilePrivilege	1336	winupdate.exe
Token: SeBackupPrivilege	1336	winupdate.exe
Token: SeRestorePrivilege	1336	winupdate.exe
Token: SeShutdownPrivilege	1336	winupdate.exe
Token: SeDebugPrivilege	1336	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1336	winupdate.exe
Token: SeChangeNotifyPrivilege	1336	winupdate.exe
Token: SeRemoteShutdownPrivilege	1336	winupdate.exe
Token: SeUndockPrivilege	1336	winupdate.exe
Token: SeManageVolumePrivilege	1336	winupdate.exe
Token: SeImpersonatePrivilege	1336	winupdate.exe
Token: SeCreateGlobalPrivilege	1336	winupdate.exe
Token: 33	1336	winupdate.exe
Token: 34	1336	winupdate.exe
Token: 35	1336	winupdate.exe
Token: SeRestorePrivilege	1336	winupdate.exe
Token: SeBackupPrivilege	1336	winupdate.exe
Token: SeIncreaseQuotaPrivilege	992	winupdate.exe
Token: SeSecurityPrivilege	992	winupdate.exe
Token: SeTakeOwnershipPrivilege	992	winupdate.exe
Token: SeLoadDriverPrivilege	992	winupdate.exe
Token: SeSystemProfilePrivilege	992	winupdate.exe
Token: SeSystemtimePrivilege	992	winupdate.exe
Token: SeProfSingleProcessPrivilege	992	winupdate.exe
Token: SeIncBasePriorityPrivilege	992	winupdate.exe
Token: SeCreatePagefilePrivilege	992	winupdate.exe
Token: SeBackupPrivilege	992	winupdate.exe
Token: SeRestorePrivilege	992	winupdate.exe
Token: SeShutdownPrivilege	992	winupdate.exe
Token: SeDebugPrivilege	992	winupdate.exe
Token: SeSystemEnvironmentPrivilege	992	winupdate.exe
Token: SeChangeNotifyPrivilege	992	winupdate.exe
Token: SeRemoteShutdownPrivilege	992	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 1516 wrote to memory of 564	1516	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	28
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 564 wrote to memory of 476	564	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	29
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1396	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	30
PID 476 wrote to memory of 1448	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	31
PID 476 wrote to memory of 1448	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	31
PID 476 wrote to memory of 1448	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	31
PID 476 wrote to memory of 1448	476	a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe	31
PID 1448 wrote to memory of 1316	1448	cmd.exe	33
PID 1448 wrote to memory of 1316	1448	cmd.exe	33
PID 1448 wrote to memory of 1316	1448	cmd.exe	33
PID 1448 wrote to memory of 1316	1448	cmd.exe	33
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 1396 wrote to memory of 2036	1396	winupdate.exe	34
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35
PID 2036 wrote to memory of 1336	2036	winupdate.exe	35

C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
"C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
  C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
    C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
      "C:\Windows\system32\Windowsupdate\winupdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:836
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:936
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:672
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1328
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1100
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1064
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        15⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1136
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1744
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:896
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1276
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1248
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1964
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        21⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1992
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1608
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:188
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1760
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1040
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1648
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        27⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:816
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1092
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1284
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Checks BIOS information in registry
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:620
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        31⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        31⤵
        
        PID:836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        32⤵
        Runs ping.exe
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        28⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        29⤵
        Runs ping.exe
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        25⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        26⤵
        Runs ping.exe
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        22⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        23⤵
        Runs ping.exe
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        19⤵
        
        PID:108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        20⤵
        Runs ping.exe
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        16⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        17⤵
        Runs ping.exe
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        13⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        Runs ping.exe
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        10⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        11⤵
        Runs ping.exe
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        7⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        Runs ping.exe
        
        PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
      4⤵
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
82B

MD5
161109f79808cfb6a41a419e9c0e94a8

SHA1
9e8191ceeaaa07868efe2a90ad9179902509c6e2

SHA256
1f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a

SHA512
6c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
82B

MD5
161109f79808cfb6a41a419e9c0e94a8

SHA1
9e8191ceeaaa07868efe2a90ad9179902509c6e2

SHA256
1f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a

SHA512
6c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
82B

MD5
161109f79808cfb6a41a419e9c0e94a8

SHA1
9e8191ceeaaa07868efe2a90ad9179902509c6e2

SHA256
1f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a

SHA512
6c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
137B

MD5
056790f3eb43965f15607ab9c0033728

SHA1
8b046f529d49fc8f2a18a5980bd8f2ebda060760

SHA256
6fde3727651f6939b3fa4a2a439eed949c71185aec227b2d6eb602f057939bb0

SHA512
3dcbde7e83f427189a51a016403384b5ac1e68f1d6d4250c4fed36e21272288e4c7da532271a6212f2ed99ea47ebda5a7e36482c09c6b833b6982b4bebe10171

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
820KB

MD5
4408d904c304c3becc5b3f28b9fd2b62

SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789

SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02

SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32

Download Submit
memory/108-227-0x0000000000000000-mapping.dmp

Download
memory/188-255-0x0000000000401668-mapping.dmp

Download
memory/188-260-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/188-264-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/268-314-0x0000000000000000-mapping.dmp

Download
memory/476-58-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/476-74-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/476-59-0x000000000049E90C-mapping.dmp

Download
memory/476-64-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/476-60-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/476-63-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/476-62-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/564-57-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/564-54-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/564-61-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/564-55-0x0000000000401668-mapping.dmp

Download
memory/620-313-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/620-317-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/620-306-0x000000000049E90C-mapping.dmp

Download
memory/668-319-0x0000000000000000-mapping.dmp

Download
memory/672-131-0x0000000000000000-mapping.dmp

Download
memory/792-275-0x0000000000000000-mapping.dmp

Download
memory/816-295-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/816-285-0x000000000049E90C-mapping.dmp

Download
memory/816-291-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/836-103-0x0000000000000000-mapping.dmp

Download
memory/836-316-0x0000000000000000-mapping.dmp

Download
memory/876-230-0x0000000000000000-mapping.dmp

Download
memory/896-211-0x0000000000401668-mapping.dmp

Download
memory/896-219-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/936-122-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/936-117-0x0000000000401668-mapping.dmp

Download
memory/952-113-0x0000000000000000-mapping.dmp

Download
memory/1040-270-0x0000000000000000-mapping.dmp

Download
memory/1064-193-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1064-182-0x0000000000401668-mapping.dmp

Download
memory/1092-292-0x0000000000000000-mapping.dmp

Download
memory/1100-168-0x0000000000000000-mapping.dmp

Download
memory/1116-205-0x0000000000000000-mapping.dmp

Download
memory/1136-202-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1136-194-0x000000000049E90C-mapping.dmp

Download
memory/1136-206-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1160-297-0x0000000000000000-mapping.dmp

Download
memory/1248-225-0x0000000000000000-mapping.dmp

Download
memory/1276-228-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1276-217-0x000000000049E90C-mapping.dmp

Download
memory/1276-224-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1284-300-0x0000000000401668-mapping.dmp

Download
memory/1284-308-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1316-76-0x0000000000000000-mapping.dmp

Download
memory/1328-175-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1328-166-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1328-155-0x000000000049E90C-mapping.dmp

Download
memory/1328-165-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1336-101-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1336-95-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1336-110-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1336-100-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1336-91-0x000000000049E90C-mapping.dmp

Download
memory/1360-134-0x0000000000000000-mapping.dmp

Download
memory/1372-106-0x0000000000000000-mapping.dmp

Download
memory/1396-66-0x0000000000000000-mapping.dmp

Download
memory/1448-73-0x0000000000000000-mapping.dmp

Download
memory/1508-171-0x0000000000000000-mapping.dmp

Download
memory/1600-249-0x0000000000000000-mapping.dmp

Download
memory/1608-247-0x0000000000000000-mapping.dmp

Download
memory/1648-278-0x0000000000401668-mapping.dmp

Download
memory/1648-283-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1668-272-0x0000000000000000-mapping.dmp

Download
memory/1672-208-0x0000000000000000-mapping.dmp

Download
memory/1716-252-0x0000000000000000-mapping.dmp

Download
memory/1740-144-0x0000000000401668-mapping.dmp

Download
memory/1740-158-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1744-203-0x0000000000000000-mapping.dmp

Download
memory/1760-269-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1760-262-0x000000000049E90C-mapping.dmp

Download
memory/1760-273-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1788-140-0x0000000000000000-mapping.dmp

Download
memory/1804-178-0x0000000000000000-mapping.dmp

Download
memory/1964-233-0x0000000000401668-mapping.dmp

Download
memory/1964-241-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1992-246-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1992-250-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1992-239-0x000000000049E90C-mapping.dmp

Download
memory/2020-294-0x0000000000000000-mapping.dmp

Download
memory/2036-79-0x0000000000401668-mapping.dmp

Download
memory/2036-89-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads