babylonrat | 12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Size

1.3MB
MD5

40d74a5a028765d158afa53a9cf69556
SHA1

20e36e3f82d725430c46a752b46b11b9e2342272
SHA256

12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384
SHA512

93321752dfaf1da0ae4217ad41e9eaa86f74e2e6acc3f2e8bcd0cbf18eba460635ef003b58708344fbf21ca2e76bebf26f2ec1b0f42148d6cab7625d9bb00c51
SSDEEP

24576:ZSQHqj7vff5cIymms7K9OpkToGGTNd2+EHJnl+GyDDr4+os9V/WGNMx7lM/v3Q+j:ZSQK3mIyml7lZT321H5lDyDn4s9ZBvAK

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 64 IoCs

Processes:

Skype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

pid	process
1048	Skype.exe
2712	Skype.exe
2596	Skype.exe
616	Skype.exe
2812	Skype.exe
2892	Skype.exe
2996	Skype.exe
1652	Skype.exe
2056	Skype.exe
440	Skype.exe
2028	Skype.exe
892	Skype.exe
2436	Skype.exe
2196	Skype.exe
1592	Skype.exe
1372	Skype.exe
1928	Skype.exe
2932	Skype.exe
3060	Skype.exe
2704	Skype.exe
2312	Skype.exe
2936	Skype.exe
2956	Skype.exe
2892	Skype.exe
2384	Skype.exe
1580	Skype.exe
1328	Skype.exe
2244	Skype.exe
1404	Skype.exe
868	Skype.exe
880	Skype.exe
2804	Skype.exe
2192	Skype.exe
2556	Skype.exe
2696	Skype.exe
2912	Skype.exe
2572	Skype.exe
748	Skype.exe
1444	Skype.exe
2644	Skype.exe
2680	Skype.exe
2004	Skype.exe
1204	Skype.exe
1132	Skype.exe
352	Skype.exe
1644	Skype.exe
1924	Skype.exe
1940	Skype.exe
2472	Skype.exe
1800	Skype.exe
2852	Skype.exe
2740	Skype.exe
2416	Skype.exe
1272	Skype.exe
2588	Skype.exe
1712	Skype.exe
1976	Skype.exe
2072	Skype.exe
1892	Skype.exe
2764	Skype.exe
2156	Skype.exe
2284	Skype.exe
2512	Skype.exe
2248	Skype.exe

Loads dropped DLL 1 IoCs

Processes:

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe

pid process

2148 40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe

pid	process
2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Skype.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe

Suspicious use of SetThreadContext 46 IoCs

Processes:

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	pid	process	target process
PID 2088 set thread context of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 1048 set thread context of 2712	1048	Skype.exe	Skype.exe
PID 2596 set thread context of 616	2596	Skype.exe	Skype.exe
PID 2812 set thread context of 2892	2812	Skype.exe	Skype.exe
PID 2996 set thread context of 1652	2996	Skype.exe	Skype.exe
PID 2056 set thread context of 440	2056	Skype.exe	Skype.exe
PID 2028 set thread context of 892	2028	Skype.exe	Skype.exe
PID 2436 set thread context of 2196	2436	Skype.exe	Skype.exe
PID 1592 set thread context of 1372	1592	Skype.exe	Skype.exe
PID 1928 set thread context of 2932	1928	Skype.exe	Skype.exe
PID 3060 set thread context of 2704	3060	Skype.exe	Skype.exe
PID 2312 set thread context of 2936	2312	Skype.exe	Skype.exe
PID 2956 set thread context of 2892	2956	Skype.exe	Skype.exe
PID 2384 set thread context of 1580	2384	Skype.exe	Skype.exe
PID 1328 set thread context of 2244	1328	Skype.exe	Skype.exe
PID 1404 set thread context of 868	1404	Skype.exe	Skype.exe
PID 880 set thread context of 2804	880	Skype.exe	Skype.exe
PID 2192 set thread context of 2556	2192	Skype.exe	Skype.exe
PID 2696 set thread context of 2912	2696	Skype.exe	Skype.exe
PID 2572 set thread context of 748	2572	Skype.exe	Skype.exe
PID 1444 set thread context of 2644	1444	Skype.exe	Skype.exe
PID 2680 set thread context of 2004	2680	Skype.exe	Skype.exe
PID 1204 set thread context of 1132	1204	Skype.exe	Skype.exe
PID 352 set thread context of 1644	352	Skype.exe	Skype.exe
PID 1924 set thread context of 1940	1924	Skype.exe	Skype.exe
PID 2472 set thread context of 1800	2472	Skype.exe	Skype.exe
PID 2852 set thread context of 2740	2852	Skype.exe	Skype.exe
PID 2416 set thread context of 1272	2416	Skype.exe	Skype.exe
PID 2588 set thread context of 1712	2588	Skype.exe	Skype.exe
PID 1976 set thread context of 2072	1976	Skype.exe	Skype.exe
PID 1892 set thread context of 2764	1892	Skype.exe	Skype.exe
PID 2156 set thread context of 2284	2156	Skype.exe	Skype.exe
PID 2512 set thread context of 2248	2512	Skype.exe	Skype.exe
PID 1600 set thread context of 2148	1600	Skype.exe	Skype.exe
PID 1872 set thread context of 2748	1872	Skype.exe	Skype.exe
PID 552 set thread context of 1752	552	Skype.exe	Skype.exe
PID 1620 set thread context of 2728	1620	Skype.exe	Skype.exe
PID 2108 set thread context of 1948	2108	Skype.exe	Skype.exe
PID 2260 set thread context of 920	2260	Skype.exe	Skype.exe
PID 1764 set thread context of 2524	1764	Skype.exe	Skype.exe
PID 2276 set thread context of 2692	2276	Skype.exe	Skype.exe
PID 1728 set thread context of 2620	1728	Skype.exe	Skype.exe
PID 1524 set thread context of 2912	1524	Skype.exe	Skype.exe
PID 1972 set thread context of 2584	1972	Skype.exe	Skype.exe
PID 1080 set thread context of 3052	1080	Skype.exe	Skype.exe
PID 952 set thread context of 2264	952	Skype.exe	Skype.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Skype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Skype.exe

pid process

2712 Skype.exe

pid	process
2712	Skype.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeDebugPrivilege	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeTcbPrivilege	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeShutdownPrivilege	2712	Skype.exe
Token: SeDebugPrivilege	2712	Skype.exe
Token: SeTcbPrivilege	2712	Skype.exe
Token: SeShutdownPrivilege	616	Skype.exe
Token: SeDebugPrivilege	616	Skype.exe
Token: SeTcbPrivilege	616	Skype.exe
Token: SeShutdownPrivilege	2892	Skype.exe
Token: SeDebugPrivilege	2892	Skype.exe
Token: SeTcbPrivilege	2892	Skype.exe
Token: SeShutdownPrivilege	1652	Skype.exe
Token: SeDebugPrivilege	1652	Skype.exe
Token: SeTcbPrivilege	1652	Skype.exe
Token: SeShutdownPrivilege	440	Skype.exe
Token: SeDebugPrivilege	440	Skype.exe
Token: SeTcbPrivilege	440	Skype.exe
Token: SeShutdownPrivilege	892	Skype.exe
Token: SeDebugPrivilege	892	Skype.exe
Token: SeTcbPrivilege	892	Skype.exe
Token: SeShutdownPrivilege	2196	Skype.exe
Token: SeDebugPrivilege	2196	Skype.exe
Token: SeTcbPrivilege	2196	Skype.exe
Token: SeShutdownPrivilege	1372	Skype.exe
Token: SeDebugPrivilege	1372	Skype.exe
Token: SeTcbPrivilege	1372	Skype.exe
Token: SeShutdownPrivilege	2932	Skype.exe
Token: SeDebugPrivilege	2932	Skype.exe
Token: SeTcbPrivilege	2932	Skype.exe
Token: SeShutdownPrivilege	2704	Skype.exe
Token: SeDebugPrivilege	2704	Skype.exe
Token: SeTcbPrivilege	2704	Skype.exe
Token: SeShutdownPrivilege	2936	Skype.exe
Token: SeDebugPrivilege	2936	Skype.exe
Token: SeTcbPrivilege	2936	Skype.exe
Token: SeShutdownPrivilege	2892	Skype.exe
Token: SeDebugPrivilege	2892	Skype.exe
Token: SeTcbPrivilege	2892	Skype.exe
Token: SeShutdownPrivilege	1580	Skype.exe
Token: SeDebugPrivilege	1580	Skype.exe
Token: SeTcbPrivilege	1580	Skype.exe
Token: SeShutdownPrivilege	2244	Skype.exe
Token: SeDebugPrivilege	2244	Skype.exe
Token: SeTcbPrivilege	2244	Skype.exe
Token: SeShutdownPrivilege	868	Skype.exe
Token: SeDebugPrivilege	868	Skype.exe
Token: SeTcbPrivilege	868	Skype.exe
Token: SeShutdownPrivilege	2804	Skype.exe
Token: SeDebugPrivilege	2804	Skype.exe
Token: SeTcbPrivilege	2804	Skype.exe
Token: SeShutdownPrivilege	2556	Skype.exe
Token: SeDebugPrivilege	2556	Skype.exe
Token: SeTcbPrivilege	2556	Skype.exe
Token: SeShutdownPrivilege	2912	Skype.exe
Token: SeDebugPrivilege	2912	Skype.exe
Token: SeTcbPrivilege	2912	Skype.exe
Token: SeShutdownPrivilege	748	Skype.exe
Token: SeDebugPrivilege	748	Skype.exe
Token: SeTcbPrivilege	748	Skype.exe
Token: SeShutdownPrivilege	2644	Skype.exe
Token: SeDebugPrivilege	2644	Skype.exe
Token: SeTcbPrivilege	2644	Skype.exe
Token: SeShutdownPrivilege	2004	Skype.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Skype.exe

pid process

2712 Skype.exe

pid	process
2712	Skype.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	pid	process	target process
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2088 wrote to memory of 2148	2088	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2148 wrote to memory of 1048	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 2148 wrote to memory of 1048	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 2148 wrote to memory of 1048	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 2148 wrote to memory of 1048	2148	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 1048 wrote to memory of 2712	1048	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2596	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2596	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2596	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2596	2712	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2596 wrote to memory of 616	2596	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2812	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2812	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2812	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2812	2712	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2812 wrote to memory of 2892	2812	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2996	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2996	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2996	2712	Skype.exe	Skype.exe
PID 2712 wrote to memory of 2996	2712	Skype.exe	Skype.exe
PID 2996 wrote to memory of 1652	2996	Skype.exe	Skype.exe
PID 2996 wrote to memory of 1652	2996	Skype.exe	Skype.exe
PID 2996 wrote to memory of 1652	2996	Skype.exe	Skype.exe
PID 2996 wrote to memory of 1652	2996	Skype.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\ProgramData\Skype\Skype.exe
    "C:\ProgramData\Skype\Skype.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\ProgramData\Skype\Skype.exe
      "C:\ProgramData\Skype\Skype.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2028
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2436
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3060
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2312
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1328
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1404
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:880
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2696
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1444
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2680
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1204
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1132
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:352
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1644
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1924
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1940
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2472
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1800
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2740
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2416
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1272
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2588
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1712
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2072
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1892
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2764
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2284
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2512
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2248
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:2148
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1872
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:552
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1620
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2728
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1948
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:920
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1764
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2524
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2276
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1728
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2912
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1972
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:2584
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1080
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:3052
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        Suspicious use of SetThreadContext
        
        PID:952
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:2264
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 2712
        5⤵
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Skype\Skype.exe

Filesize
1.3MB

MD5
40d74a5a028765d158afa53a9cf69556

SHA1
20e36e3f82d725430c46a752b46b11b9e2342272

SHA256
12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384

SHA512
93321752dfaf1da0ae4217ad41e9eaa86f74e2e6acc3f2e8bcd0cbf18eba460635ef003b58708344fbf21ca2e76bebf26f2ec1b0f42148d6cab7625d9bb00c51

Download Submit
memory/616-76-0x0000000000300000-0x0000000000407000-memory.dmp

Filesize
1.0MB

Download
memory/616-80-0x0000000000300000-0x0000000000407000-memory.dmp

Filesize
1.0MB

Download
memory/1048-25-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/1048-26-0x0000000000080000-0x00000000001DA000-memory.dmp

Filesize
1.4MB

Download
memory/1048-27-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-50-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1204-494-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/1404-349-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/1524-950-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/1764-884-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/1976-662-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2088-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/2088-15-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-4-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/2088-3-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2088-2-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-1-0x0000000000CC0000-0x0000000000E1A000-memory.dmp

Filesize
1.4MB

Download
memory/2148-9-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-7-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-17-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-5-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-10-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-13-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-16-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-8-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2148-22-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2156-715-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/2276-902-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2416-608-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/2596-57-0x0000000000080000-0x00000000001DA000-memory.dmp

Filesize
1.4MB

Download
memory/2712-51-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-83-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-54-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-48-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-49-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-52-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-55-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2712-44-0x0000000000220000-0x0000000000327000-memory.dmp

Filesize
1.0MB

Download
memory/2812-82-0x0000000000080000-0x00000000001DA000-memory.dmp

Filesize
1.4MB

Download