Analysis Overview
SHA256
82a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164
Threat Level: Known bad
The file a0944adca0738fef3c942b008d3646ee was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Darkcomet
Windows security bypass
Deletes itself
Loads dropped DLL
Windows security modification
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Runs ping.exe
Modifies registry class
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 23:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 23:08
Reported
2024-02-23 23:12
Platform
win7-20240221-en
Max time kernel
195s
Max time network
138s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\WindowaUpdatet\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\WindowaUpdatet\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2804 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe |
| PID 584 set thread context of 2164 | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Windows\WindowaUpdatet\winupdate.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| File opened for modification | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| File opened for modification | C:\Windows\WindowaUpdatet\ | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe
"C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee
C:\Windows\WindowaUpdatet\winupdate.exe
"C:\Windows\WindowaUpdatet\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
C:\Windows\WindowaUpdatet\winupdate.exe
C:\Windows\WindowaUpdatet\winupdate
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2584-2-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-4-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-6-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-8-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-10-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-12-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-14-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-16-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2584-20-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-21-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-22-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-23-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-24-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-25-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2584-26-0x0000000000250000-0x0000000000251000-memory.dmp
C:\Windows\WindowaUpdatet\winupdate.exe
| MD5 | a0944adca0738fef3c942b008d3646ee |
| SHA1 | 039ed8aa1a7f2a9d16a246e245b388b64902f717 |
| SHA256 | 82a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164 |
| SHA512 | cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1 |
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat
| MD5 | 8a7ccf4f8832923245069c66ff37712e |
| SHA1 | d67a19bfada2c36eb432e0a86e0834ef26107921 |
| SHA256 | a3c62d78404162e128897d7608d8751561c416c37b10362e5be2a95c7cfbae3a |
| SHA512 | 6a92cac914b4b681f458976e8755912118ee7199d5a7dda0da1f50415c3a495cae754207568b0ea23afd00f9a74f33547fdb0572f7eefee3b3bfcf3055a168bc |
memory/2584-44-0x0000000000400000-0x00000000004C0000-memory.dmp
\Windows\WindowaUpdatet\winupdate.exe
| MD5 | 157b70b28ccb30e83648047b554e3c3d |
| SHA1 | aec6f47ebbbaeac58e84125eed9718fa3f85a4a9 |
| SHA256 | f80290a8421be89d934d806011a56f7f200d39cef25aea9d3c67422ef7d04227 |
| SHA512 | 1086fc5604e9dec06b414b68cc550813faae21af6dcb066ce3718573a18778dfccfffdeeeb67bb650effe309c24c23da2f82dc661b2f2e98e1b6c56304e63126 |
memory/2164-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2164-74-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-79-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-80-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-81-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-82-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-83-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-85-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2164-84-0x0000000000400000-0x00000000004C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 23:08
Reported
2024-02-23 23:11
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\WindowaUpdatet\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\WindowaUpdatet\\winupdate.exe" | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3616 set thread context of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe |
| PID 4292 set thread context of 876 | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Windows\WindowaUpdatet\winupdate.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| File opened for modification | C:\Windows\WindowaUpdatet\ | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| File created | C:\Windows\WindowaUpdatet\winupdate.exe | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
| N/A | N/A | C:\Windows\WindowaUpdatet\winupdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe
"C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee
C:\Windows\WindowaUpdatet\winupdate.exe
"C:\Windows\WindowaUpdatet\winupdate.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
C:\Windows\WindowaUpdatet\winupdate.exe
C:\Windows\WindowaUpdatet\winupdate
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | spynet151.no-ip.biz | udp |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/5088-2-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5088-3-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5088-4-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5088-5-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5088-6-0x0000000002880000-0x0000000002881000-memory.dmp
memory/5088-7-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Windows\WindowaUpdatet\winupdate.exe
| MD5 | a0944adca0738fef3c942b008d3646ee |
| SHA1 | 039ed8aa1a7f2a9d16a246e245b388b64902f717 |
| SHA256 | 82a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164 |
| SHA512 | cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1 |
memory/5088-74-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-80-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-81-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-82-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/876-84-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat
| MD5 | 8a7ccf4f8832923245069c66ff37712e |
| SHA1 | d67a19bfada2c36eb432e0a86e0834ef26107921 |
| SHA256 | a3c62d78404162e128897d7608d8751561c416c37b10362e5be2a95c7cfbae3a |
| SHA512 | 6a92cac914b4b681f458976e8755912118ee7199d5a7dda0da1f50415c3a495cae754207568b0ea23afd00f9a74f33547fdb0572f7eefee3b3bfcf3055a168bc |
memory/876-85-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-86-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-87-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-88-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-89-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-90-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-91-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-92-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-93-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/876-94-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-95-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-96-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-97-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-98-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-99-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-100-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-101-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-102-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-103-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-104-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/876-105-0x0000000000400000-0x00000000004C0000-memory.dmp