Malware Analysis Report

2024-10-23 20:34

Sample ID 240627-qza6watflc
Target 16345de556130b38be95f6e4d8740121_JaffaCakes118
SHA256 532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
Tags
darkcomet evasion persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7

Threat Level: Known bad

The file 16345de556130b38be95f6e4d8740121_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet evasion persistence rat spyware stealer trojan

Windows security bypass

Modifies WinLogon for persistence

Darkcomet

Darkcomet family

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 13:41

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 13:41

Reported

2024-06-27 13:44

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windupdt\winupdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windupdt\winupdate.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windupdt\winupdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe" C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\runouce.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\runouce.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 836 set thread context of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\readme.eml C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: 33 N/A C:\Windupdt\winupdate.exe N/A
Token: 34 N/A C:\Windupdt\winupdate.exe N/A
Token: 35 N/A C:\Windupdt\winupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
PID 332 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 2068 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windupdt\winupdate.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 836 wrote to memory of 2592 N/A C:\Windupdt\winupdate.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 332 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"

C:\Windupdt\winupdate.exe

"C:\Windupdt\winupdate.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 duranel78.no-ip.biz udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 btamail.net.cn udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp

Files

memory/332-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2068-2-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2068-1-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1224-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/1224-4-0x0000000002D30000-0x0000000002D31000-memory.dmp

\Windupdt\winupdate.exe

MD5 16345de556130b38be95f6e4d8740121
SHA1 0ced1e7bcc96fb116bee7076f8894d18c9115cba
SHA256 532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
SHA512 b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

memory/2068-13-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/836-15-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/836-20-0x0000000000230000-0x00000000002FE000-memory.dmp

memory/2592-21-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/836-23-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Windows\SysWOW64\runouce.exe

MD5 4ba49affda6b270ba410a6aa3156041b
SHA1 589bac9796bdf20de8c4506ef8d345862ca96881
SHA256 f47fee017927f072cc051e1557135e84f03c62f37c332dcb729648e16ca3abef
SHA512 7c5f5fd34470c95e6cc0782de6f2ded30e1f1fde2b6e84d2c12c5da0b384c8514fc2013a0597271cdc9ba02852b9da5d255c60258d3df15cdf44e2937b13582a

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

MD5 f543083e2a5d7ed9840d9a32b0a9d2ce
SHA1 a950d39a11603820b53755a4d0ffe36f5db5783f
SHA256 53f4c656bf9670eb837912f64fd5641aa96863fc264e7e731c40b8a4472396d8
SHA512 5ef3a23e644566ec8eb125ce0e607dda1fa9b4e2d52e92b98d0c252e228a55c004436c0ae4c7254dafa9fb200a83a80dacad280200a7ffd12b0729ba8480709c

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 8156706568e77846b7bfbcc091c6ffeb
SHA1 792aa0db64f517520ee8f745bee71152532fe4d2
SHA256 5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8
SHA512 8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 7757fe48a0974cb625e89012c92cc995
SHA1 e4684021f14053c3f9526070dc687ff125251162
SHA256 c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03
SHA512 b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

memory/332-462-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/332-567-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/332-876-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/332-985-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

MD5 2f8ec7065fc6d01c6b9c121268f6179e
SHA1 65e8919b2b82bc547ea184f17647ad7574ba8ee6
SHA256 516b6ee757d32e4931a299ca0a24e7f93b3b75bdd0c8826b39a078508d2502de
SHA512 f237d281c4881a1989d71bde9a38a8b43d9e733696c199b9a5573afdd1bf28b60abed5ba074c41cb6e26e3de8256fec130fed4d6534c9491b2d8bea53879d166

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

MD5 6d5d0522e89e5800841a9751bfa0521a
SHA1 ee651d5b2486a338b4de0964a43c8b2a5a8c5966
SHA256 0a7822b96ece567633b222d20f1cae5a0569fc28d86c84ece5c61016aa9487a1
SHA512 28171b0b04e8a3be2ff7f997c134b652a6a584809a35f2bc2a3293bb31a6a126d03f39831bcfe24705d6d9b0b1754e0c05ccbd339f2cde678923a8e91ab2a9db

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

MD5 82bc39595f31924c757a45d812beeecd
SHA1 fe8d453eb05a87732ac28f62cf31d0c48726dbdf
SHA256 a430fd6b58bba1e01fc70d7b579c2826b06357b1bc8692dd416139e17684e0d6
SHA512 507fa3db5621aed0514ca9ab4e9e8730989d5580fca10013a6bc884791cf75691d5e40c920a54546b8fe2bca5fafb87aff8f96ecd433ce11d4c2705251914099

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

MD5 6f7a466db89aa477ee5a513527dad359
SHA1 d7ab2985230d654160e8a428a5e729dbbaff47f3
SHA256 c25a43fda3d23a570dcc9ebed7cc3101712b9521e2e38b660a621e9dca1c6eee
SHA512 c9fc69360c095ade135cc8b6368983c4cabe5790d7211d7d281e38841392cc052df16f9e63af6ae02b55ff6a0abce10bb90b8ee3e317fc326fc8633bc06acdc6

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 3406a8cdb7015994b947b5571e0b80ef
SHA1 ba9292c82c29968e49624163f146b905a1548952
SHA256 b87e5d5566223d96ed5b8dee670cb45311acd1dd85d4d37bbe493946ec50a654
SHA512 9e5503f0c2cb5369e47e636d0392f5db6b4bf2b375d0ab2ad94b7ca4a7e4e293e96a9bd6f5b96f51ffe61d4ae614cd1a05707a7570185914d5f8dcd840a5a6b2

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 99645b83b2150282dfd642afe26c573b
SHA1 5a310627f0d411bb57145f35ce48c8b9c57a355e
SHA256 4559d8f333f86ce44379f2063de9523307dd107933fe4f22a5258ecda8702830
SHA512 6c31fd0d899e54a0700c2331388d61734fc9137e816952c2e5781f21b4e71c0b7f0603e00b736e84868bb54b011b37aa64dd751d2531fc9adffe2e020b2cdb3f

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

MD5 f3439478eac0265bbfb6151370c2d051
SHA1 e8fb20db05222b6101c8f93f231edb8d5ea872c3
SHA256 5ce87e9e191e55fd25d1a7145ff1c123e30574a57b30df048ce20323c23ba476
SHA512 1d076ae14a440d280df5c0c7508769e661f06f0ff134bd0caa2c77da6be2f9cda9a20d2c772263c13dd07eae98e0db15385cd756e8d1a07b6a41fb2c042656b1

C:\vcredist2010_x86.log.html

MD5 e791f3e552ad5dad5cc5284177701858
SHA1 b1e444a3e21f24da0e696486725246f593f7e477
SHA256 c9ab47792cdbe09c2e010dd13920213f5b6264ef40d1eab209dabbda7a283e01
SHA512 f6aad713f1bbc388b1691ed02077fefe626f1b43ae5f2bc6cc489bc33e31dfcbc32258d18d79a40ea191adba2a65dc6ea2aed62a83e40877c8bb232394501b69

memory/332-1030-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/332-1034-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/332-1087-0x0000000000400000-0x00000000004CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 13:41

Reported

2024-06-27 13:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windupdt\winupdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windupdt\winupdate.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windupdt\winupdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windupdt\winupdate.exe N/A
Token: 33 N/A C:\Windupdt\winupdate.exe N/A
Token: 34 N/A C:\Windupdt\winupdate.exe N/A
Token: 35 N/A C:\Windupdt\winupdate.exe N/A
Token: 36 N/A C:\Windupdt\winupdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windupdt\winupdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"

C:\Windupdt\winupdate.exe

"C:\Windupdt\winupdate.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8

Network

Country Destination Domain Proto
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 duranel78.no-ip.biz udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp

Files

memory/4956-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4956-1-0x0000000002280000-0x0000000002281000-memory.dmp

C:\Windupdt\winupdate.exe

MD5 16345de556130b38be95f6e4d8740121
SHA1 0ced1e7bcc96fb116bee7076f8894d18c9115cba
SHA256 532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
SHA512 b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7

memory/4956-35-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-36-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-38-0x0000000002180000-0x0000000002181000-memory.dmp

memory/4920-39-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-40-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-43-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-47-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-48-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-51-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4920-52-0x0000000000400000-0x00000000004CE000-memory.dmp