babylonrat | 12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Size

1.3MB
MD5

40d74a5a028765d158afa53a9cf69556
SHA1

20e36e3f82d725430c46a752b46b11b9e2342272
SHA256

12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384
SHA512

93321752dfaf1da0ae4217ad41e9eaa86f74e2e6acc3f2e8bcd0cbf18eba460635ef003b58708344fbf21ca2e76bebf26f2ec1b0f42148d6cab7625d9bb00c51
SSDEEP

24576:ZSQHqj7vff5cIymms7K9OpkToGGTNd2+EHJnl+GyDDr4+os9V/WGNMx7lM/v3Q+j:ZSQK3mIyml7lZT321H5lDyDn4s9ZBvAK

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 64 IoCs

Processes:

Skype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

pid	process
3116	Skype.exe
1856	Skype.exe
1520	Skype.exe
2860	Skype.exe
4524	Skype.exe
1260	Skype.exe
4312	Skype.exe
3120	Skype.exe
112	Skype.exe
3860	Skype.exe
2164	Skype.exe
4468	Skype.exe
1568	Skype.exe
2108	Skype.exe
3508	Skype.exe
2548	Skype.exe
4104	Skype.exe
4604	Skype.exe
3004	Skype.exe
4340	Skype.exe
3256	Skype.exe
2380	Skype.exe
1980	Skype.exe
2752	Skype.exe
2260	Skype.exe
1428	Skype.exe
3500	Skype.exe
3420	Skype.exe
5096	Skype.exe
1144	Skype.exe
1172	Skype.exe
1984	Skype.exe
2656	Skype.exe
3208	Skype.exe
3684	Skype.exe
4544	Skype.exe
1408	Skype.exe
2188	Skype.exe
4756	Skype.exe
1656	Skype.exe
3616	Skype.exe
2488	Skype.exe
4060	Skype.exe
3576	Skype.exe
2572	Skype.exe
1184	Skype.exe
2416	Skype.exe
2592	Skype.exe
4696	Skype.exe
4764	Skype.exe
3376	Skype.exe
4820	Skype.exe
1068	Skype.exe
3296	Skype.exe
536	Skype.exe
3676	Skype.exe
1260	Skype.exe
4780	Skype.exe
2688	Skype.exe
1884	Skype.exe
948	Skype.exe
316	Skype.exe
1264	Skype.exe
3828	Skype.exe

Adds Run key to start application 2 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Skype = "C:\\ProgramData\\Skype\\Skype.exe"	Skype.exe

Suspicious use of SetThreadContext 45 IoCs

Processes:

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	pid	process	target process
PID 2432 set thread context of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 3116 set thread context of 1856	3116	Skype.exe	Skype.exe
PID 1520 set thread context of 2860	1520	Skype.exe	Skype.exe
PID 4524 set thread context of 1260	4524	Skype.exe	Skype.exe
PID 4312 set thread context of 3120	4312	Skype.exe	Skype.exe
PID 112 set thread context of 3860	112	Skype.exe	Skype.exe
PID 2164 set thread context of 4468	2164	Skype.exe	Skype.exe
PID 1568 set thread context of 2108	1568	Skype.exe	Skype.exe
PID 3508 set thread context of 2548	3508	Skype.exe	Skype.exe
PID 4104 set thread context of 4604	4104	Skype.exe	Skype.exe
PID 3004 set thread context of 4340	3004	Skype.exe	Skype.exe
PID 3256 set thread context of 2380	3256	Skype.exe	Skype.exe
PID 1980 set thread context of 2752	1980	Skype.exe	Skype.exe
PID 2260 set thread context of 1428	2260	Skype.exe	Skype.exe
PID 3500 set thread context of 3420	3500	Skype.exe	Skype.exe
PID 5096 set thread context of 1144	5096	Skype.exe	Skype.exe
PID 1172 set thread context of 1984	1172	Skype.exe	Skype.exe
PID 2656 set thread context of 3208	2656	Skype.exe	Skype.exe
PID 3684 set thread context of 4544	3684	Skype.exe	Skype.exe
PID 1408 set thread context of 2188	1408	Skype.exe	Skype.exe
PID 4756 set thread context of 1656	4756	Skype.exe	Skype.exe
PID 3616 set thread context of 2488	3616	Skype.exe	Skype.exe
PID 4060 set thread context of 3576	4060	Skype.exe	Skype.exe
PID 2572 set thread context of 1184	2572	Skype.exe	Skype.exe
PID 2416 set thread context of 2592	2416	Skype.exe	Skype.exe
PID 4696 set thread context of 4764	4696	Skype.exe	Skype.exe
PID 3376 set thread context of 4820	3376	Skype.exe	Skype.exe
PID 1068 set thread context of 3296	1068	Skype.exe	Skype.exe
PID 536 set thread context of 3676	536	Skype.exe	Skype.exe
PID 1260 set thread context of 4780	1260	Skype.exe	Skype.exe
PID 2688 set thread context of 1884	2688	Skype.exe	Skype.exe
PID 948 set thread context of 316	948	Skype.exe	Skype.exe
PID 1264 set thread context of 3828	1264	Skype.exe	Skype.exe
PID 4792 set thread context of 2736	4792	Skype.exe	Skype.exe
PID 4456 set thread context of 2912	4456	Skype.exe	Skype.exe
PID 5024 set thread context of 4816	5024	Skype.exe	Skype.exe
PID 4592 set thread context of 4336	4592	Skype.exe	Skype.exe
PID 1792 set thread context of 4144	1792	Skype.exe	Skype.exe
PID 4136 set thread context of 4760	4136	Skype.exe	Skype.exe
PID 3348 set thread context of 2600	3348	Skype.exe	Skype.exe
PID 3492 set thread context of 2144	3492	Skype.exe	Skype.exe
PID 4580 set thread context of 4088	4580	Skype.exe	Skype.exe
PID 4640 set thread context of 2328	4640	Skype.exe	Skype.exe
PID 1984 set thread context of 4612	1984	Skype.exe	Skype.exe
PID 2896 set thread context of 3512	2896	Skype.exe	Skype.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Skype.exeSkype.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Skype.exe

pid process

1856 Skype.exe

pid	process
1856	Skype.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeDebugPrivilege	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeTcbPrivilege	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
Token: SeShutdownPrivilege	1856	Skype.exe
Token: SeDebugPrivilege	1856	Skype.exe
Token: SeTcbPrivilege	1856	Skype.exe
Token: SeShutdownPrivilege	2860	Skype.exe
Token: SeDebugPrivilege	2860	Skype.exe
Token: SeTcbPrivilege	2860	Skype.exe
Token: SeShutdownPrivilege	1260	Skype.exe
Token: SeDebugPrivilege	1260	Skype.exe
Token: SeTcbPrivilege	1260	Skype.exe
Token: SeShutdownPrivilege	3120	Skype.exe
Token: SeDebugPrivilege	3120	Skype.exe
Token: SeTcbPrivilege	3120	Skype.exe
Token: SeShutdownPrivilege	4468	Skype.exe
Token: SeDebugPrivilege	4468	Skype.exe
Token: SeTcbPrivilege	4468	Skype.exe
Token: SeShutdownPrivilege	2108	Skype.exe
Token: SeDebugPrivilege	2108	Skype.exe
Token: SeTcbPrivilege	2108	Skype.exe
Token: SeShutdownPrivilege	2548	Skype.exe
Token: SeDebugPrivilege	2548	Skype.exe
Token: SeTcbPrivilege	2548	Skype.exe
Token: SeShutdownPrivilege	4604	Skype.exe
Token: SeDebugPrivilege	4604	Skype.exe
Token: SeTcbPrivilege	4604	Skype.exe
Token: SeShutdownPrivilege	4340	Skype.exe
Token: SeDebugPrivilege	4340	Skype.exe
Token: SeTcbPrivilege	4340	Skype.exe
Token: SeShutdownPrivilege	2380	Skype.exe
Token: SeDebugPrivilege	2380	Skype.exe
Token: SeTcbPrivilege	2380	Skype.exe
Token: SeShutdownPrivilege	2752	Skype.exe
Token: SeDebugPrivilege	2752	Skype.exe
Token: SeTcbPrivilege	2752	Skype.exe
Token: SeShutdownPrivilege	3420	Skype.exe
Token: SeDebugPrivilege	3420	Skype.exe
Token: SeTcbPrivilege	3420	Skype.exe
Token: SeShutdownPrivilege	1144	Skype.exe
Token: SeDebugPrivilege	1144	Skype.exe
Token: SeTcbPrivilege	1144	Skype.exe
Token: SeShutdownPrivilege	1984	Skype.exe
Token: SeDebugPrivilege	1984	Skype.exe
Token: SeTcbPrivilege	1984	Skype.exe
Token: SeShutdownPrivilege	4544	Skype.exe
Token: SeDebugPrivilege	4544	Skype.exe
Token: SeTcbPrivilege	4544	Skype.exe
Token: SeShutdownPrivilege	2188	Skype.exe
Token: SeDebugPrivilege	2188	Skype.exe
Token: SeTcbPrivilege	2188	Skype.exe
Token: SeShutdownPrivilege	1656	Skype.exe
Token: SeDebugPrivilege	1656	Skype.exe
Token: SeTcbPrivilege	1656	Skype.exe
Token: SeShutdownPrivilege	2488	Skype.exe
Token: SeDebugPrivilege	2488	Skype.exe
Token: SeTcbPrivilege	2488	Skype.exe
Token: SeShutdownPrivilege	3576	Skype.exe
Token: SeDebugPrivilege	3576	Skype.exe
Token: SeTcbPrivilege	3576	Skype.exe
Token: SeShutdownPrivilege	2592	Skype.exe
Token: SeDebugPrivilege	2592	Skype.exe
Token: SeTcbPrivilege	2592	Skype.exe
Token: SeShutdownPrivilege	4820	Skype.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Skype.exe

pid process

1856 Skype.exe

pid	process
1856	Skype.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exeSkype.exeSkype.exeSkype.exeSkype.exeSkype.exe

description	pid	process	target process
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 2432 wrote to memory of 4564	2432	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
PID 4564 wrote to memory of 3116	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 4564 wrote to memory of 3116	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 4564 wrote to memory of 3116	4564	40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 3116 wrote to memory of 1856	3116	Skype.exe	Skype.exe
PID 1856 wrote to memory of 1520	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 1520	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 1520	1856	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1520 wrote to memory of 2860	1520	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4524	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4524	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4524	1856	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 4524 wrote to memory of 1260	4524	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4312	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4312	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 4312	1856	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 4312 wrote to memory of 3120	4312	Skype.exe	Skype.exe
PID 1856 wrote to memory of 112	1856	Skype.exe	Skype.exe
PID 1856 wrote to memory of 112	1856	Skype.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\40d74a5a028765d158afa53a9cf69556_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\ProgramData\Skype\Skype.exe
    "C:\ProgramData\Skype\Skype.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\ProgramData\Skype\Skype.exe
      "C:\ProgramData\Skype\Skype.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:112
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:3860
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3508
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4104
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3004
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3256
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:1428
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3500
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5096
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1172
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2656
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:3208
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3684
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1408
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4756
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3616
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4060
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2572
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:1184
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2416
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4696
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:4764
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3376
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1068
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:3296
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:536
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3676
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1260
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:4780
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2688
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1884
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:948
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:316
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1264
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Executes dropped EXE
        
        PID:3828
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4792
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        
        PID:2736
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4456
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        
        PID:2912
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5024
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:4816
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4592
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        
        PID:4336
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:3812
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1792
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:4144
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4136
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        
        PID:4760
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3348
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:2600
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3492
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:2144
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:4088
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        
        PID:2328
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:4612
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe"
        6⤵
        Adds Run key to start application
        
        PID:3512
    - - C:\ProgramData\Skype\Skype.exe
        
        "C:\ProgramData\Skype\Skype.exe" 1856
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Skype\Skype.exe

Filesize
1.3MB

MD5
40d74a5a028765d158afa53a9cf69556

SHA1
20e36e3f82d725430c46a752b46b11b9e2342272

SHA256
12a3610e72a00b67a86780d45e2bd0e38d41144275b352247232d47282567384

SHA512
93321752dfaf1da0ae4217ad41e9eaa86f74e2e6acc3f2e8bcd0cbf18eba460635ef003b58708344fbf21ca2e76bebf26f2ec1b0f42148d6cab7625d9bb00c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Skype.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
memory/112-47-0x00000000025F0000-0x0000000002608000-memory.dmp

Filesize
96KB

Download
memory/1068-192-0x0000000002F60000-0x0000000002F78000-memory.dmp

Filesize
96KB

Download
memory/1144-114-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1172-116-0x0000000002920000-0x0000000002938000-memory.dmp

Filesize
96KB

Download
memory/1260-206-0x0000000000F40000-0x0000000000F58000-memory.dmp

Filesize
96KB

Download
memory/1260-38-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1408-137-0x0000000002320000-0x0000000002338000-memory.dmp

Filesize
96KB

Download
memory/1428-104-0x0000000000700000-0x0000000000807000-memory.dmp

Filesize
1.0MB

Download
memory/1428-100-0x0000000000700000-0x0000000000807000-memory.dmp

Filesize
1.0MB

Download
memory/1568-65-0x00000000030E0000-0x00000000030F8000-memory.dmp

Filesize
96KB

Download
memory/1792-258-0x00000000022C0000-0x00000000022D8000-memory.dmp

Filesize
96KB

Download
memory/1856-110-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-75-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-21-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-96-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-28-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-29-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-25-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-18-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-122-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-85-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-20-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-40-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-42-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-22-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-63-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1856-56-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1984-119-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1984-286-0x0000000002640000-0x0000000002658000-memory.dmp

Filesize
96KB

Download
memory/2108-68-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2164-58-0x0000000002590000-0x00000000025A8000-memory.dmp

Filesize
96KB

Download
memory/2380-90-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2416-170-0x0000000002880000-0x0000000002898000-memory.dmp

Filesize
96KB

Download
memory/2432-1-0x00000000005F0000-0x000000000074A000-memory.dmp

Filesize
1.4MB

Download
memory/2432-3-0x0000000004F60000-0x0000000004F78000-memory.dmp

Filesize
96KB

Download
memory/2432-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2432-4-0x0000000004F80000-0x0000000004F86000-memory.dmp

Filesize
24KB

Download
memory/2432-31-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-73-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2752-94-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2860-34-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2896-289-0x00000000016B0000-0x00000000016C8000-memory.dmp

Filesize
96KB

Download
memory/3116-15-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3116-23-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-45-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3256-87-0x0000000004BB0000-0x0000000004BC8000-memory.dmp

Filesize
96KB

Download
memory/3376-185-0x00000000028E0000-0x00000000028F8000-memory.dmp

Filesize
96KB

Download
memory/3420-108-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/3492-272-0x0000000005230000-0x0000000005248000-memory.dmp

Filesize
96KB

Download
memory/3508-70-0x00000000034A0000-0x00000000034B8000-memory.dmp

Filesize
96KB

Download
memory/3616-149-0x0000000000EC0000-0x0000000000ED8000-memory.dmp

Filesize
96KB

Download
memory/3860-51-0x0000000000600000-0x0000000000707000-memory.dmp

Filesize
1.0MB

Download
memory/3860-54-0x0000000000600000-0x0000000000707000-memory.dmp

Filesize
1.0MB

Download
memory/4340-83-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4456-239-0x0000000004D20000-0x0000000004D38000-memory.dmp

Filesize
96KB

Download
memory/4468-61-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4564-10-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4564-14-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4564-5-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4564-6-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4564-8-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4604-79-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4756-142-0x0000000001520000-0x0000000001538000-memory.dmp

Filesize
96KB

Download