af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605

Analysis

max time kernel
156s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Size

49KB
MD5

fd0e477f26eccd783d2819b1c35e4d40
SHA1

ace074e56e7f8875405cba17cdf48d4c053b37e5
SHA256

af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605
SHA512

5d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9
SSDEEP

1536:Rffj6lx9QTW/dfhoBbWnkYswggDwx8ltmHUr9:RffMxv/dfwbj0RDo8l7

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 60 IoCs

Processes:

wuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

pid	process
4636	wuaucldt.exe
5112	wuaucldt.exe
3616	wuaucldt.exe
2620	wuaucldt.exe
4748	wuaucldt.exe
1824	wuaucldt.exe
3192	wuaucldt.exe
2188	wuaucldt.exe
4620	wuaucldt.exe
4004	wuaucldt.exe
4376	wuaucldt.exe
1380	wuaucldt.exe
1964	wuaucldt.exe
3048	wuaucldt.exe
2596	wuaucldt.exe
4312	wuaucldt.exe
840	wuaucldt.exe
4080	wuaucldt.exe
4308	wuaucldt.exe
2916	wuaucldt.exe
1620	wuaucldt.exe
4108	wuaucldt.exe
4908	wuaucldt.exe
5084	wuaucldt.exe
4756	wuaucldt.exe
2024	wuaucldt.exe
568	wuaucldt.exe
2640	wuaucldt.exe
3644	wuaucldt.exe
5080	wuaucldt.exe
660	wuaucldt.exe
1160	wuaucldt.exe
3260	wuaucldt.exe
2620	wuaucldt.exe
4500	wuaucldt.exe
4620	wuaucldt.exe
3536	wuaucldt.exe
3756	wuaucldt.exe
4480	wuaucldt.exe
2772	wuaucldt.exe
4940	wuaucldt.exe
512	wuaucldt.exe
1628	wuaucldt.exe
2324	wuaucldt.exe
1676	wuaucldt.exe
440	wuaucldt.exe
2236	wuaucldt.exe
4308	wuaucldt.exe
220	wuaucldt.exe
4960	wuaucldt.exe
4828	wuaucldt.exe
4416	wuaucldt.exe
5084	wuaucldt.exe
3180	wuaucldt.exe
3724	wuaucldt.exe
368	wuaucldt.exe
3848	wuaucldt.exe
4700	wuaucldt.exe
3708	wuaucldt.exe
4340	wuaucldt.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4000-0-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4000-1-0x0000000000400000-0x0000000000414001-memory.dmp	upx
C:\Windows\SysWOW64\wuaucldt.exe	upx
behavioral2/memory/4000-10-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4636-17-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/3616-37-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2620-42-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/3192-64-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2188-66-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4376-71-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4376-94-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/1380-95-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2596-114-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4312-115-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4308-135-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2916-144-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4908-166-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/5084-168-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/568-170-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/568-193-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2640-195-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/1160-222-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/660-223-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4500-240-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4620-242-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4480-259-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2772-260-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/1628-275-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/1676-284-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/2236-293-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/220-302-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/4828-312-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/5084-323-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/3724-333-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/3848-342-0x0000000000400000-0x0000000000414001-memory.dmp	upx
behavioral2/memory/3708-373-0x0000000000400000-0x0000000000414001-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	wuaucldt.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 13 IoCs

Processes:

wuaucldt.exewuaucldt.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe
File opened for modification	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe

description	pid	process	target process
PID 4000 set thread context of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4636 set thread context of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 3616 set thread context of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 2620 set thread context of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 4748 set thread context of 1956	4748	wuaucldt.exe	svchost.exe
PID 3192 set thread context of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 2188 set thread context of 4004	2188	wuaucldt.exe	wuaucldt.exe
PID 4376 set thread context of 1964	4376	wuaucldt.exe	wuaucldt.exe
PID 1380 set thread context of 3048	1380	wuaucldt.exe	wuaucldt.exe
PID 2596 set thread context of 840	2596	wuaucldt.exe	wuaucldt.exe
PID 4312 set thread context of 4080	4312	wuaucldt.exe	wuaucldt.exe
PID 4308 set thread context of 1620	4308	wuaucldt.exe	wuaucldt.exe
PID 2916 set thread context of 4108	2916	wuaucldt.exe	wuaucldt.exe
PID 4908 set thread context of 4756	4908	wuaucldt.exe	wuaucldt.exe
PID 5084 set thread context of 2024	5084	wuaucldt.exe	wuaucldt.exe
PID 568 set thread context of 3644	568	wuaucldt.exe	wuaucldt.exe
PID 2640 set thread context of 5080	2640	wuaucldt.exe	wuaucldt.exe
PID 660 set thread context of 3260	660	wuaucldt.exe	wuaucldt.exe
PID 1160 set thread context of 2620	1160	wuaucldt.exe	wuaucldt.exe
PID 4500 set thread context of 3536	4500	wuaucldt.exe	wuaucldt.exe
PID 4620 set thread context of 3756	4620	wuaucldt.exe	wuaucldt.exe
PID 4480 set thread context of 4940	4480	wuaucldt.exe	wuaucldt.exe
PID 2772 set thread context of 512	2772	wuaucldt.exe	wuaucldt.exe
PID 5112 set thread context of 3704	5112	wuaucldt.exe	svchost.exe
PID 1628 set thread context of 2324	1628	wuaucldt.exe	wuaucldt.exe
PID 1676 set thread context of 440	1676	wuaucldt.exe	wuaucldt.exe
PID 2236 set thread context of 4308	2236	wuaucldt.exe	wuaucldt.exe
PID 220 set thread context of 4960	220	wuaucldt.exe	wuaucldt.exe
PID 4828 set thread context of 4416	4828	wuaucldt.exe	wuaucldt.exe
PID 5084 set thread context of 3180	5084	wuaucldt.exe	wuaucldt.exe
PID 3724 set thread context of 368	3724	wuaucldt.exe	wuaucldt.exe
PID 3848 set thread context of 4700	3848	wuaucldt.exe	wuaucldt.exe
PID 3708 set thread context of 4340	3708	wuaucldt.exe	wuaucldt.exe
PID 1268 set thread context of 64	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 660	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 4172	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 4376	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 3128	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 1564	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 1516	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 4780	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 568	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 1360	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 3040	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 60	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 3416	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 5076	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 944	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 1160	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 4964	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 3924	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 5024	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 3152	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 208	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 3776	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 4472	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 4064	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 2936	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 3260	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 976	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 4244	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 3180	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe
PID 5112 set thread context of 1008	5112	wuaucldt.exe	svchost.exe
PID 1268 set thread context of 4612	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	svchost.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

pid	process
4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
4636	wuaucldt.exe
3616	wuaucldt.exe
2620	wuaucldt.exe
3192	wuaucldt.exe
2188	wuaucldt.exe
4376	wuaucldt.exe
1380	wuaucldt.exe
4312	wuaucldt.exe
2596	wuaucldt.exe
4308	wuaucldt.exe
2916	wuaucldt.exe
4908	wuaucldt.exe
5084	wuaucldt.exe
568	wuaucldt.exe
2640	wuaucldt.exe
660	wuaucldt.exe
1160	wuaucldt.exe
4500	wuaucldt.exe
4620	wuaucldt.exe
4480	wuaucldt.exe
2772	wuaucldt.exe
1628	wuaucldt.exe
1676	wuaucldt.exe
2236	wuaucldt.exe
220	wuaucldt.exe
4828	wuaucldt.exe
5084	wuaucldt.exe
3724	wuaucldt.exe
3848	wuaucldt.exe
3708	wuaucldt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exefd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exewuaucldt.exe

description	pid	process	target process
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 4000 wrote to memory of 1268	4000	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
PID 1268 wrote to memory of 4636	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 4636	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 4636	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 4636 wrote to memory of 5112	4636	wuaucldt.exe	wuaucldt.exe
PID 1268 wrote to memory of 3616	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 3616	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 3616	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 5112 wrote to memory of 2620	5112	wuaucldt.exe	wuaucldt.exe
PID 5112 wrote to memory of 2620	5112	wuaucldt.exe	wuaucldt.exe
PID 5112 wrote to memory of 2620	5112	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 3616 wrote to memory of 4748	3616	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 2620 wrote to memory of 1824	2620	wuaucldt.exe	wuaucldt.exe
PID 1268 wrote to memory of 3192	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 3192	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 1268 wrote to memory of 3192	1268	fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe	wuaucldt.exe
PID 4748 wrote to memory of 1956	4748	wuaucldt.exe	svchost.exe
PID 4748 wrote to memory of 1956	4748	wuaucldt.exe	svchost.exe
PID 4748 wrote to memory of 1956	4748	wuaucldt.exe	svchost.exe
PID 4748 wrote to memory of 1956	4748	wuaucldt.exe	svchost.exe
PID 5112 wrote to memory of 2188	5112	wuaucldt.exe	wuaucldt.exe
PID 5112 wrote to memory of 2188	5112	wuaucldt.exe	wuaucldt.exe
PID 5112 wrote to memory of 2188	5112	wuaucldt.exe	wuaucldt.exe
PID 4748 wrote to memory of 1956	4748	wuaucldt.exe	svchost.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe
PID 3192 wrote to memory of 4620	3192	wuaucldt.exe	wuaucldt.exe

C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\fd0e477f26eccd783d2819b1c35e4d40_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1824

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2188

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:4004

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4376

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1964

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2596

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:840

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4308

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:1620

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4908

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:4756

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:568

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:3644

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:660

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:3260

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4500

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:3536

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4480

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
6⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1564

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:60

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:5076

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3776

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:2268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:4932

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:2916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:2392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:3228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:688

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Writes to the Master Boot Record (MBR)
PID:1956

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4620

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1380

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:3048

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4312

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4080

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2916

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4108

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5084

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2024

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2640

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:5080

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1160

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2620

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4620

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\SysWOW64\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:3756

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2772

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:512

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1628

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:2324

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1676

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:440

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2236

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4308

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:220

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4960

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4828

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4416

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5084

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:3180

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3724

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:368

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3848

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4700

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3708

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
4⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:64

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4172

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1516

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3416

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:5024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:208

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4472

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4660

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4636

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3640 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wuaucldt.exe
Filesize
49KB

MD5
fd0e477f26eccd783d2819b1c35e4d40

SHA1
ace074e56e7f8875405cba17cdf48d4c053b37e5

SHA256
af204a3b364e15c8fff9e6a1adfce189e4267ea4ff2a49c116d10ba08c4bb605

SHA512
5d804fe7c5b500f58c4bf37e93b4f62766da5fc058d0f0cad02fd6903491ff45c91e1c1fba119c89290fc3a4f16626a78d100c635728ae6e5fdb27ac55d80ae9

Download Submit
memory/60-456-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

Filesize
36KB

Download
memory/64-356-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/64-436-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/208-542-0x0000000000F50000-0x0000000000F59000-memory.dmp

Filesize
36KB

Download
memory/220-302-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/512-257-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/568-170-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/568-193-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/568-440-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

Filesize
36KB

Download
memory/660-223-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/660-360-0x0000000000FB0000-0x0000000000FB9000-memory.dmp

Filesize
36KB

Download
memory/944-470-0x0000000000980000-0x0000000000989000-memory.dmp

Filesize
36KB

Download
memory/976-612-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/1008-628-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/1160-500-0x0000000000DD0000-0x0000000000DD9000-memory.dmp

Filesize
36KB

Download
memory/1160-222-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1268-6-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/1268-4-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/1360-448-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/1380-95-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1516-389-0x0000000001270000-0x0000000001279000-memory.dmp

Filesize
36KB

Download
memory/1564-377-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/1628-275-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1676-284-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/1824-44-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/1956-49-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1956-61-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1956-67-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1956-54-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1956-69-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/1956-46-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/2188-66-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2236-293-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2596-114-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2620-42-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2640-195-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2772-260-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2916-144-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/2936-592-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/3040-452-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/3128-372-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/3152-538-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/3180-324-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/3180-622-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/3192-64-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/3260-604-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/3416-460-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/3616-37-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/3704-269-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/3708-373-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/3724-333-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/3776-546-0x0000000000A10000-0x0000000000A19000-memory.dmp

Filesize
36KB

Download
memory/3848-342-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/3924-530-0x0000000000D40000-0x0000000000D49000-memory.dmp

Filesize
36KB

Download
memory/4000-0-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4000-1-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4000-10-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4064-562-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4108-137-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/4172-364-0x0000000000C50000-0x0000000000C59000-memory.dmp

Filesize
36KB

Download
memory/4244-618-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/4308-135-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4312-115-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4376-368-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/4376-94-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4376-71-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4416-311-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/4472-550-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/4480-259-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4500-240-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4620-58-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/4620-242-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4636-17-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4748-36-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/4780-435-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/4828-312-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4908-166-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/4964-522-0x0000000000EC0000-0x0000000000EC9000-memory.dmp

Filesize
36KB

Download
memory/5024-534-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/5076-464-0x0000000000360000-0x0000000000369000-memory.dmp

Filesize
36KB

Download
memory/5084-168-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/5084-323-0x0000000000400000-0x0000000000414001-memory.dmp

Filesize
80KB

Download
memory/5112-23-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download