Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
84s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 16:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe
-
Size
10KB
-
MD5
fabf99a2cfac761249eedce378f05770
-
SHA1
c64af7337680192d793ad25af0881c0bd9811d44
-
SHA256
72ba635926cc6fc3998d9318352d5611d42937b46b5e1af4758cda4a94498060
-
SHA512
dd6ae99b373c681efb2cccf47deb76f49b6c869be50507325827ea15004b3bf5ec2b4da633877fccf81eb23ab118f85372effab05b09e18b8bdbf4e8754d3a8e
-
SSDEEP
192:ba8WiGFw8lgm1L1uhgrq92UHHkZo5PiJwZIqdGTKZFwhxvzb:HWiG+8lZ1uCm2cH2o5PgwquAvzb
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" Process not Found Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\syswow64\upnp.exe = "c:\\windows\\syswow64\\upnp.exe:*:Enabled:upnp" upnp.exe -
Executes dropped EXE 64 IoCs
pid Process 1908 upnp.exe 2516 upnp.exe 2112 upnp.exe 1640 upnp.exe 2768 upnp.exe 2928 upnp.exe 2744 upnp.exe 2196 upnp.exe 2844 upnp.exe 2332 upnp.exe 2840 upnp.exe 2652 upnp.exe 2672 upnp.exe 1752 upnp.exe 468 upnp.exe 2584 upnp.exe 2888 upnp.exe 2972 upnp.exe 1432 upnp.exe 1388 upnp.exe 1136 upnp.exe 2056 upnp.exe 2340 upnp.exe 600 upnp.exe 1764 upnp.exe 1436 upnp.exe 848 upnp.exe 1304 upnp.exe 1732 upnp.exe 1568 upnp.exe 2600 upnp.exe 2144 upnp.exe 1500 upnp.exe 2512 upnp.exe 1564 upnp.exe 996 upnp.exe 1248 upnp.exe 1492 upnp.exe 1716 upnp.exe 2952 upnp.exe 796 upnp.exe 568 upnp.exe 2260 upnp.exe 2060 upnp.exe 1748 upnp.exe 2100 upnp.exe 1664 upnp.exe 1720 upnp.exe 1860 upnp.exe 1456 upnp.exe 2192 upnp.exe 2236 upnp.exe 2404 upnp.exe 2348 upnp.exe 2244 upnp.exe 1980 upnp.exe 1908 upnp.exe 1672 upnp.exe 2208 upnp.exe 2360 upnp.exe 2760 upnp.exe 2836 upnp.exe 2868 upnp.exe 2932 upnp.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 1908 upnp.exe 1908 upnp.exe 2516 upnp.exe 2516 upnp.exe 2112 upnp.exe 2112 upnp.exe 1640 upnp.exe 1640 upnp.exe 2768 upnp.exe 2768 upnp.exe 2928 upnp.exe 2928 upnp.exe 2744 upnp.exe 2744 upnp.exe 2196 upnp.exe 2196 upnp.exe 2844 upnp.exe 2844 upnp.exe 2332 upnp.exe 2332 upnp.exe 2840 upnp.exe 2840 upnp.exe 2652 upnp.exe 2652 upnp.exe 2672 upnp.exe 2672 upnp.exe 1752 upnp.exe 1752 upnp.exe 468 upnp.exe 468 upnp.exe 2584 upnp.exe 2584 upnp.exe 2888 upnp.exe 2888 upnp.exe 2972 upnp.exe 2972 upnp.exe 1432 upnp.exe 1432 upnp.exe 1388 upnp.exe 1388 upnp.exe 1136 upnp.exe 1136 upnp.exe 2056 upnp.exe 2056 upnp.exe 2340 upnp.exe 2340 upnp.exe 600 upnp.exe 600 upnp.exe 1764 upnp.exe 1764 upnp.exe 1436 upnp.exe 1436 upnp.exe 848 upnp.exe 848 upnp.exe 1304 upnp.exe 1304 upnp.exe 1732 upnp.exe 1732 upnp.exe 1568 upnp.exe 1568 upnp.exe 2600 upnp.exe 2600 upnp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe Process not Found File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe File created \??\c:\windows\SysWOW64\upnp.exe upnp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe Token: SeDebugPrivilege 1908 upnp.exe Token: SeDebugPrivilege 2516 upnp.exe Token: SeDebugPrivilege 2112 upnp.exe Token: SeDebugPrivilege 1640 upnp.exe Token: SeDebugPrivilege 2768 upnp.exe Token: SeDebugPrivilege 2928 upnp.exe Token: SeDebugPrivilege 2744 upnp.exe Token: SeDebugPrivilege 2196 upnp.exe Token: SeDebugPrivilege 2844 upnp.exe Token: SeDebugPrivilege 2332 upnp.exe Token: SeDebugPrivilege 2840 upnp.exe Token: SeDebugPrivilege 2652 upnp.exe Token: SeDebugPrivilege 2672 upnp.exe Token: SeDebugPrivilege 1752 upnp.exe Token: SeDebugPrivilege 468 upnp.exe Token: SeDebugPrivilege 2584 upnp.exe Token: SeDebugPrivilege 2888 upnp.exe Token: SeDebugPrivilege 2972 upnp.exe Token: SeDebugPrivilege 1432 upnp.exe Token: SeDebugPrivilege 1388 upnp.exe Token: SeDebugPrivilege 1136 upnp.exe Token: SeDebugPrivilege 2056 upnp.exe Token: SeDebugPrivilege 2340 upnp.exe Token: SeDebugPrivilege 600 upnp.exe Token: SeDebugPrivilege 1764 upnp.exe Token: SeDebugPrivilege 1436 upnp.exe Token: SeDebugPrivilege 848 upnp.exe Token: SeDebugPrivilege 1304 upnp.exe Token: SeDebugPrivilege 1732 upnp.exe Token: SeDebugPrivilege 1568 upnp.exe Token: SeDebugPrivilege 2600 upnp.exe Token: SeDebugPrivilege 2144 upnp.exe Token: SeDebugPrivilege 1500 upnp.exe Token: SeDebugPrivilege 2512 upnp.exe Token: SeDebugPrivilege 1564 upnp.exe Token: SeDebugPrivilege 996 upnp.exe Token: SeDebugPrivilege 1248 upnp.exe Token: SeDebugPrivilege 1492 upnp.exe Token: SeDebugPrivilege 1716 upnp.exe Token: SeDebugPrivilege 2952 upnp.exe Token: SeDebugPrivilege 796 upnp.exe Token: SeDebugPrivilege 568 upnp.exe Token: SeDebugPrivilege 2260 upnp.exe Token: SeDebugPrivilege 2060 upnp.exe Token: SeDebugPrivilege 1748 upnp.exe Token: SeDebugPrivilege 2100 upnp.exe Token: SeDebugPrivilege 1664 upnp.exe Token: SeDebugPrivilege 1720 upnp.exe Token: SeDebugPrivilege 1860 upnp.exe Token: SeDebugPrivilege 1456 upnp.exe Token: SeDebugPrivilege 2192 upnp.exe Token: SeDebugPrivilege 2404 upnp.exe Token: SeDebugPrivilege 2348 upnp.exe Token: SeDebugPrivilege 2244 upnp.exe Token: SeDebugPrivilege 1980 upnp.exe Token: SeDebugPrivilege 1908 upnp.exe Token: SeDebugPrivilege 1672 upnp.exe Token: SeDebugPrivilege 2208 upnp.exe Token: SeDebugPrivilege 2360 upnp.exe Token: SeDebugPrivilege 2760 upnp.exe Token: SeDebugPrivilege 2836 upnp.exe Token: SeDebugPrivilege 2868 upnp.exe Token: SeDebugPrivilege 2932 upnp.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 1908 upnp.exe 2516 upnp.exe 2112 upnp.exe 1640 upnp.exe 2768 upnp.exe 2928 upnp.exe 2744 upnp.exe 2196 upnp.exe 2844 upnp.exe 2332 upnp.exe 2840 upnp.exe 2652 upnp.exe 2672 upnp.exe 1752 upnp.exe 468 upnp.exe 2584 upnp.exe 2888 upnp.exe 2972 upnp.exe 1432 upnp.exe 1388 upnp.exe 1136 upnp.exe 2056 upnp.exe 2340 upnp.exe 600 upnp.exe 1764 upnp.exe 1436 upnp.exe 848 upnp.exe 1304 upnp.exe 1732 upnp.exe 1568 upnp.exe 2600 upnp.exe 2144 upnp.exe 1500 upnp.exe 2512 upnp.exe 1564 upnp.exe 996 upnp.exe 1248 upnp.exe 1492 upnp.exe 1716 upnp.exe 2952 upnp.exe 796 upnp.exe 568 upnp.exe 2260 upnp.exe 2060 upnp.exe 1748 upnp.exe 2100 upnp.exe 1664 upnp.exe 1720 upnp.exe 1860 upnp.exe 1456 upnp.exe 2192 upnp.exe 2404 upnp.exe 2348 upnp.exe 2244 upnp.exe 1980 upnp.exe 1908 upnp.exe 1672 upnp.exe 2208 upnp.exe 2360 upnp.exe 2760 upnp.exe 2836 upnp.exe 2868 upnp.exe 2932 upnp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1908 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 30 PID 2700 wrote to memory of 1908 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 30 PID 2700 wrote to memory of 1908 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 30 PID 2700 wrote to memory of 1908 2700 fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe 30 PID 1908 wrote to memory of 2516 1908 upnp.exe 31 PID 1908 wrote to memory of 2516 1908 upnp.exe 31 PID 1908 wrote to memory of 2516 1908 upnp.exe 31 PID 1908 wrote to memory of 2516 1908 upnp.exe 31 PID 2516 wrote to memory of 2112 2516 upnp.exe 32 PID 2516 wrote to memory of 2112 2516 upnp.exe 32 PID 2516 wrote to memory of 2112 2516 upnp.exe 32 PID 2516 wrote to memory of 2112 2516 upnp.exe 32 PID 2112 wrote to memory of 1640 2112 upnp.exe 33 PID 2112 wrote to memory of 1640 2112 upnp.exe 33 PID 2112 wrote to memory of 1640 2112 upnp.exe 33 PID 2112 wrote to memory of 1640 2112 upnp.exe 33 PID 1640 wrote to memory of 2768 1640 upnp.exe 34 PID 1640 wrote to memory of 2768 1640 upnp.exe 34 PID 1640 wrote to memory of 2768 1640 upnp.exe 34 PID 1640 wrote to memory of 2768 1640 upnp.exe 34 PID 2768 wrote to memory of 2928 2768 upnp.exe 35 PID 2768 wrote to memory of 2928 2768 upnp.exe 35 PID 2768 wrote to memory of 2928 2768 upnp.exe 35 PID 2768 wrote to memory of 2928 2768 upnp.exe 35 PID 2928 wrote to memory of 2744 2928 upnp.exe 36 PID 2928 wrote to memory of 2744 2928 upnp.exe 36 PID 2928 wrote to memory of 2744 2928 upnp.exe 36 PID 2928 wrote to memory of 2744 2928 upnp.exe 36 PID 2744 wrote to memory of 2196 2744 upnp.exe 37 PID 2744 wrote to memory of 2196 2744 upnp.exe 37 PID 2744 wrote to memory of 2196 2744 upnp.exe 37 PID 2744 wrote to memory of 2196 2744 upnp.exe 37 PID 2196 wrote to memory of 2844 2196 upnp.exe 38 PID 2196 wrote to memory of 2844 2196 upnp.exe 38 PID 2196 wrote to memory of 2844 2196 upnp.exe 38 PID 2196 wrote to memory of 2844 2196 upnp.exe 38 PID 2844 wrote to memory of 2332 2844 upnp.exe 39 PID 2844 wrote to memory of 2332 2844 upnp.exe 39 PID 2844 wrote to memory of 2332 2844 upnp.exe 39 PID 2844 wrote to memory of 2332 2844 upnp.exe 39 PID 2332 wrote to memory of 2840 2332 upnp.exe 40 PID 2332 wrote to memory of 2840 2332 upnp.exe 40 PID 2332 wrote to memory of 2840 2332 upnp.exe 40 PID 2332 wrote to memory of 2840 2332 upnp.exe 40 PID 2840 wrote to memory of 2652 2840 upnp.exe 41 PID 2840 wrote to memory of 2652 2840 upnp.exe 41 PID 2840 wrote to memory of 2652 2840 upnp.exe 41 PID 2840 wrote to memory of 2652 2840 upnp.exe 41 PID 2652 wrote to memory of 2672 2652 upnp.exe 42 PID 2652 wrote to memory of 2672 2652 upnp.exe 42 PID 2652 wrote to memory of 2672 2652 upnp.exe 42 PID 2652 wrote to memory of 2672 2652 upnp.exe 42 PID 2672 wrote to memory of 1752 2672 upnp.exe 43 PID 2672 wrote to memory of 1752 2672 upnp.exe 43 PID 2672 wrote to memory of 1752 2672 upnp.exe 43 PID 2672 wrote to memory of 1752 2672 upnp.exe 43 PID 1752 wrote to memory of 468 1752 upnp.exe 44 PID 1752 wrote to memory of 468 1752 upnp.exe 44 PID 1752 wrote to memory of 468 1752 upnp.exe 44 PID 1752 wrote to memory of 468 1752 upnp.exe 44 PID 468 wrote to memory of 2584 468 upnp.exe 45 PID 468 wrote to memory of 2584 468 upnp.exe 45 PID 468 wrote to memory of 2584 468 upnp.exe 45 PID 468 wrote to memory of 2584 468 upnp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fabf99a2cfac761249eedce378f05770_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2888 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2340 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:600 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"26⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1436 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1500 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:996 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1248 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:796 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2192 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"53⤵
- Executes dropped EXE
PID:2236 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2348 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2208 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"61⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2836 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"66⤵PID:2628
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"67⤵PID:2744
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"68⤵PID:2780
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"69⤵PID:2648
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"70⤵PID:2480
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"71⤵PID:2644
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"72⤵PID:2636
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"73⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"74⤵PID:2684
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"75⤵PID:2256
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"76⤵PID:1884
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"77⤵
- Modifies firewall policy service
PID:640 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"78⤵PID:788
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"79⤵PID:3032
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"80⤵PID:3020
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"81⤵PID:2904
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"82⤵PID:1900
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"83⤵PID:2608
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"84⤵PID:2972
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"85⤵PID:2008
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"86⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"87⤵PID:2064
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"88⤵PID:2240
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"89⤵PID:2352
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"90⤵PID:576
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"91⤵PID:320
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"92⤵PID:928
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"93⤵PID:528
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"94⤵PID:2028
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"95⤵PID:1852
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"96⤵PID:2992
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"97⤵PID:376
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"98⤵PID:2184
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"99⤵PID:448
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"100⤵
- Drops file in System32 directory
PID:1032 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"101⤵
- Modifies firewall policy service
PID:1536 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"102⤵PID:2708
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"103⤵PID:712
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"104⤵PID:552
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"105⤵PID:2232
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"106⤵PID:2156
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"107⤵PID:1004
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"108⤵PID:948
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"109⤵PID:2288
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"110⤵
- Modifies firewall policy service
PID:1688 -
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"111⤵PID:1232
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"112⤵PID:2492
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"113⤵PID:648
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"114⤵PID:2384
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"115⤵PID:1596
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"116⤵PID:2536
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"117⤵PID:2268
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"118⤵PID:2456
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"119⤵PID:2388
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"120⤵PID:3056
-
C:\windows\SysWOW64\upnp.exe"C:\windows\system32\upnp.exe"121⤵PID:1912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-