Overview

overview

10

Static

static

3

76075733fb...18.exe

windows7-x64

10

76075733fb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76075733fb727bb2d730e46b478a48e6_JaffaCakes118.exe

  • Size

    403KB

  • MD5

    76075733fb727bb2d730e46b478a48e6

  • SHA1

    a8d4195935a392a004c5ce9cba836f2d88b98b98

  • SHA256

    67927f573bf925d53a2f5358260dcaf7f0754cefed9de61dba6b2d61a718829b

  • SHA512

    07bd396d4211ad30517d1267929add7fef6442d808c60a408a440203a70a0fbc8fba975c3127c09a456af68084d7d2158ca4038cef99d82d69bcc9cda2d53533

  • SSDEEP

    12288:w8c4ZULdcJYPUSWXPCJRwHaB8eoNo+UEgW+HIAQ:wt4ZGdcJYWPCYXeoO+ULHIAQ

Score
10/10
darkcometdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76075733fb727bb2d730e46b478a48e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\76075733fb727bb2d730e46b478a48e6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:4884
      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
        "C:\Windows\system32\Windupdt\winupdate.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
          • Adds Run key to start application
          PID:2588
        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
          "C:\Windows\system32\Windupdt\winupdate.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4860
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:4152
            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
              "C:\Windows\system32\Windupdt\winupdate.exe"
              4⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              PID:1456
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                5⤵
                • Adds Run key to start application
                PID:1480
              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                "C:\Windows\system32\Windupdt\winupdate.exe"
                5⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                PID:4496
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  6⤵
                  • Adds Run key to start application
                  PID:2432
                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                  "C:\Windows\system32\Windupdt\winupdate.exe"
                  6⤵
                  • Modifies WinLogon for persistence
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • Modifies registry class
                  PID:2212
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad
                    7⤵
                      PID:2564
                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                      "C:\Windows\system32\Windupdt\winupdate.exe"
                      7⤵
                      • Modifies WinLogon for persistence
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Modifies registry class
                      PID:1156
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        8⤵
                          PID:1064
                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                          "C:\Windows\system32\Windupdt\winupdate.exe"
                          8⤵
                          • Modifies WinLogon for persistence
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          PID:1828
                          • C:\Windows\SysWOW64\notepad.exe
                            notepad
                            9⤵
                              PID:1468
                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                              "C:\Windows\system32\Windupdt\winupdate.exe"
                              9⤵
                              • Modifies WinLogon for persistence
                              • Checks computer location settings
                              • Executes dropped EXE
                              PID:4536
                              • C:\Windows\SysWOW64\notepad.exe
                                notepad
                                10⤵
                                  PID:3184
                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                  10⤵
                                  • Modifies WinLogon for persistence
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Modifies registry class
                                  PID:4160
                                  • C:\Windows\SysWOW64\notepad.exe
                                    notepad
                                    11⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:1384
                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                    11⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Modifies registry class
                                    PID:4972
                                    • C:\Windows\SysWOW64\notepad.exe
                                      notepad
                                      12⤵
                                        PID:3368
                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                        12⤵
                                        • Modifies WinLogon for persistence
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry class
                                        PID:4468
                                        • C:\Windows\SysWOW64\notepad.exe
                                          notepad
                                          13⤵
                                          • Adds Run key to start application
                                          PID:624
                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                          13⤵
                                          • Modifies WinLogon for persistence
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          PID:4496
                                          • C:\Windows\SysWOW64\notepad.exe
                                            notepad
                                            14⤵
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:3680
                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                            14⤵
                                            • Modifies WinLogon for persistence
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry class
                                            PID:3476
                                            • C:\Windows\SysWOW64\notepad.exe
                                              notepad
                                              15⤵
                                              • Adds Run key to start application
                                              • Drops file in System32 directory
                                              PID:4364
                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                              15⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              PID:4792
                                              • C:\Windows\SysWOW64\notepad.exe
                                                notepad
                                                16⤵
                                                • Adds Run key to start application
                                                PID:1952
                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                16⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Modifies registry class
                                                PID:748
                                                • C:\Windows\SysWOW64\notepad.exe
                                                  notepad
                                                  17⤵
                                                    PID:4264
                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                    17⤵
                                                    • Modifies WinLogon for persistence
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Adds Run key to start application
                                                    • Drops file in System32 directory
                                                    • Modifies registry class
                                                    PID:2792
                                                    • C:\Windows\SysWOW64\notepad.exe
                                                      notepad
                                                      18⤵
                                                      • Drops file in System32 directory
                                                      PID:3076
                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                      18⤵
                                                      • Modifies WinLogon for persistence
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      • Drops file in System32 directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies registry class
                                                      PID:4896
                                                      • C:\Windows\SysWOW64\notepad.exe
                                                        notepad
                                                        19⤵
                                                          PID:1056
                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                          19⤵
                                                          • Modifies WinLogon for persistence
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops file in System32 directory
                                                          • Modifies registry class
                                                          PID:4696
                                                          • C:\Windows\SysWOW64\notepad.exe
                                                            notepad
                                                            20⤵
                                                              PID:5180
                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                              20⤵
                                                              • Modifies WinLogon for persistence
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:5240
                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                notepad
                                                                21⤵
                                                                • Adds Run key to start application
                                                                PID:5296
                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                21⤵
                                                                • Modifies WinLogon for persistence
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                • Modifies registry class
                                                                PID:5364
                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                  notepad
                                                                  22⤵
                                                                  • Adds Run key to start application
                                                                  PID:5416
                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                  22⤵
                                                                  • Modifies WinLogon for persistence
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  • Modifies registry class
                                                                  PID:5496
                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                    notepad
                                                                    23⤵
                                                                    • Adds Run key to start application
                                                                    PID:5552
                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                    23⤵
                                                                    • Modifies WinLogon for persistence
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Drops file in System32 directory
                                                                    • Modifies registry class
                                                                    PID:5620
                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                      notepad
                                                                      24⤵
                                                                      • Adds Run key to start application
                                                                      PID:5672
                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                      24⤵
                                                                      • Modifies WinLogon for persistence
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Adds Run key to start application
                                                                      • Drops file in System32 directory
                                                                      • Modifies registry class
                                                                      PID:5744
                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                        notepad
                                                                        25⤵
                                                                          PID:5796
                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                          25⤵
                                                                          • Modifies WinLogon for persistence
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Modifies registry class
                                                                          PID:5876
                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                            notepad
                                                                            26⤵
                                                                              PID:5936
                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                              26⤵
                                                                              • Modifies WinLogon for persistence
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:6004
                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                notepad
                                                                                27⤵
                                                                                • Adds Run key to start application
                                                                                • Drops file in System32 directory
                                                                                PID:6064
                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                27⤵
                                                                                • Modifies WinLogon for persistence
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:6128
                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                  notepad
                                                                                  28⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:5144
                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                  28⤵
                                                                                  • Modifies WinLogon for persistence
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  • Modifies registry class
                                                                                  PID:5404
                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                    notepad
                                                                                    29⤵
                                                                                      PID:3908
                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                      29⤵
                                                                                      • Modifies WinLogon for persistence
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      • Drops file in System32 directory
                                                                                      • Modifies registry class
                                                                                      PID:5684
                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                        notepad
                                                                                        30⤵
                                                                                        • Drops file in System32 directory
                                                                                        PID:5492
                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                        30⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Modifies registry class
                                                                                        PID:3540
                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                          notepad
                                                                                          31⤵
                                                                                          • Adds Run key to start application
                                                                                          • Drops file in System32 directory
                                                                                          PID:6080
                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                          31⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies registry class
                                                                                          PID:1840
                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                            notepad
                                                                                            32⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:3508
                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                            32⤵
                                                                                            • Modifies WinLogon for persistence
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:5716
                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                              notepad
                                                                                              33⤵
                                                                                              • Adds Run key to start application
                                                                                              • Drops file in System32 directory
                                                                                              PID:5852
                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                              33⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              PID:5212
                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                notepad
                                                                                                34⤵
                                                                                                • Adds Run key to start application
                                                                                                PID:5412
                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                34⤵
                                                                                                • Modifies WinLogon for persistence
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Adds Run key to start application
                                                                                                • Modifies registry class
                                                                                                PID:3540
                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                  notepad
                                                                                                  35⤵
                                                                                                  • Adds Run key to start application
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:6184
                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                  35⤵
                                                                                                  • Modifies WinLogon for persistence
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:6288
                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                    notepad
                                                                                                    36⤵
                                                                                                      PID:6356
                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                      36⤵
                                                                                                      • Modifies WinLogon for persistence
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies registry class
                                                                                                      PID:6436
                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                        notepad
                                                                                                        37⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:6492
                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                        37⤵
                                                                                                        • Modifies WinLogon for persistence
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Adds Run key to start application
                                                                                                        • Modifies registry class
                                                                                                        PID:6572
                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                          notepad
                                                                                                          38⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:6632
                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                          38⤵
                                                                                                          • Modifies WinLogon for persistence
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:6696
                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                            notepad
                                                                                                            39⤵
                                                                                                            • Adds Run key to start application
                                                                                                            PID:6748
                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                            39⤵
                                                                                                            • Modifies WinLogon for persistence
                                                                                                            • Executes dropped EXE
                                                                                                            PID:6820
                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                              notepad
                                                                                                              40⤵
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:6880
                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                              40⤵
                                                                                                              • Modifies WinLogon for persistence
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Adds Run key to start application
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Modifies registry class
                                                                                                              PID:6944
                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                notepad
                                                                                                                41⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:6992
                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                41⤵
                                                                                                                • Modifies WinLogon for persistence
                                                                                                                • Executes dropped EXE
                                                                                                                • Adds Run key to start application
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry class
                                                                                                                PID:7064
                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                  notepad
                                                                                                                  42⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:7124
                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                  42⤵
                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Modifies registry class
                                                                                                                  PID:5032
                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                    notepad
                                                                                                                    43⤵
                                                                                                                      PID:444
                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                      43⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Adds Run key to start application
                                                                                                                      • Modifies registry class
                                                                                                                      PID:5060
                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                        notepad
                                                                                                                        44⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:6224
                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                        44⤵
                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Adds Run key to start application
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry class
                                                                                                                        PID:1472
                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                          notepad
                                                                                                                          45⤵
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:6384
                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                          45⤵
                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Modifies registry class
                                                                                                                          PID:6464
                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                            notepad
                                                                                                                            46⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:6616
                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                            46⤵
                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                            • Checks computer location settings
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            • Modifies registry class
                                                                                                                            PID:6840
                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                              notepad
                                                                                                                              47⤵
                                                                                                                                PID:6768
                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                47⤵
                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Adds Run key to start application
                                                                                                                                • Drops file in System32 directory
                                                                                                                                • Modifies registry class
                                                                                                                                PID:6940
                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                  notepad
                                                                                                                                  48⤵
                                                                                                                                    PID:7136
                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                    48⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Adds Run key to start application
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:3968
                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                      notepad
                                                                                                                                      49⤵
                                                                                                                                        PID:3540
                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                        49⤵
                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:6424
                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                          notepad
                                                                                                                                          50⤵
                                                                                                                                            PID:6576
                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                            50⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:6852
                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                              notepad
                                                                                                                                              51⤵
                                                                                                                                                PID:2552
                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                51⤵
                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                • Checks computer location settings
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:6416
                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                  notepad
                                                                                                                                                  52⤵
                                                                                                                                                    PID:4956
                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                    52⤵
                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:4120
                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                      notepad
                                                                                                                                                      53⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:6800
                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                      53⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      • Modifies registry class
                                                                                                                                                      PID:7184
                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                        notepad
                                                                                                                                                        54⤵
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:7236
                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                        54⤵
                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Modifies registry class
                                                                                                                                                        PID:7304
                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                          notepad
                                                                                                                                                          55⤵
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          PID:7364
                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                          55⤵
                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:7428
                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                            notepad
                                                                                                                                                            56⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:7476
                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                            56⤵
                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            • Modifies registry class
                                                                                                                                                            PID:7548
                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                              notepad
                                                                                                                                                              57⤵
                                                                                                                                                                PID:7604
                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                57⤵
                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                • Modifies registry class
                                                                                                                                                                PID:7672
                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                  notepad
                                                                                                                                                                  58⤵
                                                                                                                                                                    PID:7720
                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                    58⤵
                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                    PID:7796
                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                      notepad
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                      PID:7852
                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                      59⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:7916
                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                        notepad
                                                                                                                                                                        60⤵
                                                                                                                                                                          PID:7976
                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                          60⤵
                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                          PID:8040
                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                            notepad
                                                                                                                                                                            61⤵
                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                            PID:8096
                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                            61⤵
                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            PID:7224
                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                              notepad
                                                                                                                                                                              62⤵
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              PID:7260
                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                              62⤵
                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                              PID:7328
                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                notepad
                                                                                                                                                                                63⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:7528
                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                63⤵
                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                PID:7548
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  notepad
                                                                                                                                                                                  64⤵
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  PID:7696
                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                  64⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                  PID:7988
                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                    notepad
                                                                                                                                                                                    65⤵
                                                                                                                                                                                      PID:8108
                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                      65⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                      PID:8144
                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                        notepad
                                                                                                                                                                                        66⤵
                                                                                                                                                                                          PID:7276
                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                          66⤵
                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                          PID:7592
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            notepad
                                                                                                                                                                                            67⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:3904
                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                            67⤵
                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                            PID:7188
                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              notepad
                                                                                                                                                                                              68⤵
                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                              PID:3864
                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                              68⤵
                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              • Modifies registry class
                                                                                                                                                                                              PID:7800
                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                notepad
                                                                                                                                                                                                69⤵
                                                                                                                                                                                                  PID:7452
                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                  PID:8252
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    notepad
                                                                                                                                                                                                    70⤵
                                                                                                                                                                                                      PID:8300
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                      PID:8376
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        notepad
                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                        PID:8436
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        • Modifies registry class
                                                                                                                                                                                                        PID:8500
                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          notepad
                                                                                                                                                                                                          72⤵
                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:8560
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                          72⤵
                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                          PID:8624
                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            notepad
                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:8672
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                            PID:8744
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              notepad
                                                                                                                                                                                                              74⤵
                                                                                                                                                                                                                PID:8792
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                74⤵
                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                PID:8868
                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  notepad
                                                                                                                                                                                                                  75⤵
                                                                                                                                                                                                                    PID:8928
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                    75⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                    • Modifies registry class
                                                                                                                                                                                                                    PID:8988
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      notepad
                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      PID:9048
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                      76⤵
                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                      • Modifies registry class
                                                                                                                                                                                                                      PID:9112
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                        77⤵
                                                                                                                                                                                                                          PID:9160
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                          77⤵
                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                                          PID:7204
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                            78⤵
                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                            PID:8200
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                            78⤵
                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                                                                            PID:8400
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              notepad
                                                                                                                                                                                                                              79⤵
                                                                                                                                                                                                                                PID:8584
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                79⤵
                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                • Modifies registry class
                                                                                                                                                                                                                                PID:8732
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  notepad
                                                                                                                                                                                                                                  80⤵
                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                  PID:8840
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                  80⤵
                                                                                                                                                                                                                                    PID:8864
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    80⤵
                                                                                                                                                                                                                                      PID:4164
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    79⤵
                                                                                                                                                                                                                                      PID:8624
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    78⤵
                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                    PID:8572
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  77⤵
                                                                                                                                                                                                                                    PID:7404
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  76⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:9120
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                75⤵
                                                                                                                                                                                                                                  PID:8996
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                74⤵
                                                                                                                                                                                                                                  PID:8876
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                73⤵
                                                                                                                                                                                                                                  PID:8752
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                72⤵
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:8632
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              71⤵
                                                                                                                                                                                                                                PID:8508
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              70⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:8384
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                            PID:8260
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          68⤵
                                                                                                                                                                                                                            PID:7940
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          67⤵
                                                                                                                                                                                                                            PID:6504
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          66⤵
                                                                                                                                                                                                                            PID:7552
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                          PID:8064
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        64⤵
                                                                                                                                                                                                                          PID:8008
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        63⤵
                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                        PID:7636
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      62⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:7460
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    61⤵
                                                                                                                                                                                                                      PID:5844
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                      PID:8048
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                      PID:7924
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    58⤵
                                                                                                                                                                                                                      PID:7804
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    57⤵
                                                                                                                                                                                                                      PID:7680
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                    PID:7556
                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  55⤵
                                                                                                                                                                                                                    PID:7436
                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  54⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:7312
                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                53⤵
                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                PID:7192
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              52⤵
                                                                                                                                                                                                                PID:6944
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              51⤵
                                                                                                                                                                                                                PID:6388
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              50⤵
                                                                                                                                                                                                                PID:6696
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              49⤵
                                                                                                                                                                                                                PID:6392
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                PID:1272
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                PID:7016
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              46⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:6776
                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            45⤵
                                                                                                                                                                                                              PID:6440
                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            44⤵
                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                            PID:1892
                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          43⤵
                                                                                                                                                                                                            PID:3712
                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                          PID:5876
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        41⤵
                                                                                                                                                                                                          PID:7072
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        40⤵
                                                                                                                                                                                                          PID:6952
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        39⤵
                                                                                                                                                                                                          PID:6828
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        38⤵
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:6704
                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                        PID:6580
                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                        PID:6444
                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                      35⤵
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:6296
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                      PID:1840
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    33⤵
                                                                                                                                                                                                      PID:5392
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                      PID:5820
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                      PID:5472
                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                    PID:4556
                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                  PID:5708
                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                28⤵
                                                                                                                                                                                                  PID:5368
                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                27⤵
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:6136
                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              26⤵
                                                                                                                                                                                                PID:6012
                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              25⤵
                                                                                                                                                                                                PID:5884
                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              24⤵
                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                              PID:5752
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            23⤵
                                                                                                                                                                                              PID:5628
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            22⤵
                                                                                                                                                                                              PID:5504
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            21⤵
                                                                                                                                                                                              PID:5372
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            20⤵
                                                                                                                                                                                              PID:5248
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            19⤵
                                                                                                                                                                                              PID:5124
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            18⤵
                                                                                                                                                                                              PID:400
                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                            17⤵
                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                            PID:2920
                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                          16⤵
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1520
                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                        15⤵
                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                        PID:936
                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      14⤵
                                                                                                                                                                                        PID:1784
                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      13⤵
                                                                                                                                                                                        PID:2540
                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      12⤵
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      PID:4588
                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                    11⤵
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:2340
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  10⤵
                                                                                                                                                                                    PID:3580
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:3168
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:4528
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  7⤵
                                                                                                                                                                                    PID:1528
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  6⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:1412
                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                5⤵
                                                                                                                                                                                  PID:4540
                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:3032
                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                3⤵
                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                PID:4136
                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Deletes itself
                                                                                                                                                                              PID:2068
                                                                                                                                                                          • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                            C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:4792
                                                                                                                                                                            • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                                              C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:7548

                                                                                                                                                                              Network

                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                              Replay Monitor

                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                              Downloads

                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                Filesize

                                                                                                                                                                                403KB

                                                                                                                                                                                MD5

                                                                                                                                                                                76075733fb727bb2d730e46b478a48e6

                                                                                                                                                                                SHA1

                                                                                                                                                                                a8d4195935a392a004c5ce9cba836f2d88b98b98

                                                                                                                                                                                SHA256

                                                                                                                                                                                67927f573bf925d53a2f5358260dcaf7f0754cefed9de61dba6b2d61a718829b

                                                                                                                                                                                SHA512

                                                                                                                                                                                07bd396d4211ad30517d1267929add7fef6442d808c60a408a440203a70a0fbc8fba975c3127c09a456af68084d7d2158ca4038cef99d82d69bcc9cda2d53533

                                                                                                                                                                                Download Submit

                                                                                                                                                                              • \??\PIPE\srvsvc
                                                                                                                                                                                MD5

                                                                                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                                SHA1

                                                                                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                                SHA256

                                                                                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                                SHA512

                                                                                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                                Download Submit

                                                                                                                                                                              • memory/748-102-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1156-65-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1408-45-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1456-53-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/1828-69-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2068-36-0x0000000001020000-0x0000000001021000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2212-61-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/2792-107-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3444-40-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3444-2-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3444-0-0x00000000131D0000-0x00000000131D2000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                8KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3444-1-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/3476-94-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4160-77-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4468-86-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4496-90-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4496-57-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4536-73-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4696-115-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4792-98-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4860-49-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4884-4-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                4KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4896-111-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/4972-81-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/5240-119-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download

                                                                                                                                                                              • memory/5364-124-0x0000000013140000-0x0000000013200000-memory.dmp

                                                                                                                                                                                Filesize

                                                                                                                                                                                768KB

                                                                                                                                                                                Download