darkcomet | bb14ef332f01f1db8ce7a225adc9fe5f6ee5c4a6ffd2038478065e270080abad

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe"	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winupdate.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winupdate.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winupdate.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 4 IoCs

pid	Process
3048	CCSETUP305.EXE
2304	winupdate.exe
5060	winupdate.exe
4268	CCSETUP305.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe"	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 2304 set thread context of 5060	2304	winupdate.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSETUP305.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSETUP305.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b69-82.dat	nsis_installer_1
behavioral2/files/0x000a000000023b69-82.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5060	winupdate.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeSecurityPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeBackupPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeRestorePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeShutdownPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeDebugPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeUndockPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: 33	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: 34	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: 35	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: 36	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
Token: SeDebugPrivilege	2304	winupdate.exe
Token: SeIncreaseQuotaPrivilege	5060	winupdate.exe
Token: SeSecurityPrivilege	5060	winupdate.exe
Token: SeTakeOwnershipPrivilege	5060	winupdate.exe
Token: SeLoadDriverPrivilege	5060	winupdate.exe
Token: SeSystemProfilePrivilege	5060	winupdate.exe
Token: SeSystemtimePrivilege	5060	winupdate.exe
Token: SeProfSingleProcessPrivilege	5060	winupdate.exe
Token: SeIncBasePriorityPrivilege	5060	winupdate.exe
Token: SeCreatePagefilePrivilege	5060	winupdate.exe
Token: SeBackupPrivilege	5060	winupdate.exe
Token: SeRestorePrivilege	5060	winupdate.exe
Token: SeShutdownPrivilege	5060	winupdate.exe
Token: SeDebugPrivilege	5060	winupdate.exe
Token: SeSystemEnvironmentPrivilege	5060	winupdate.exe
Token: SeChangeNotifyPrivilege	5060	winupdate.exe
Token: SeRemoteShutdownPrivilege	5060	winupdate.exe
Token: SeUndockPrivilege	5060	winupdate.exe
Token: SeManageVolumePrivilege	5060	winupdate.exe
Token: SeImpersonatePrivilege	5060	winupdate.exe
Token: SeCreateGlobalPrivilege	5060	winupdate.exe
Token: 33	5060	winupdate.exe
Token: 34	5060	winupdate.exe
Token: 35	5060	winupdate.exe
Token: 36	5060	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	winupdate.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 1928 wrote to memory of 2084	1928	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	83
PID 2084 wrote to memory of 3048	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	84
PID 2084 wrote to memory of 3048	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	84
PID 2084 wrote to memory of 3048	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	84
PID 3048 wrote to memory of 4648	3048	CCSETUP305.EXE	85
PID 3048 wrote to memory of 4648	3048	CCSETUP305.EXE	85
PID 2084 wrote to memory of 764	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	87
PID 2084 wrote to memory of 764	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	87
PID 2084 wrote to memory of 764	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	87
PID 2084 wrote to memory of 2304	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	88
PID 2084 wrote to memory of 2304	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	88
PID 2084 wrote to memory of 2304	2084	99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe	88
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 2304 wrote to memory of 5060	2304	winupdate.exe	89
PID 5060 wrote to memory of 4792	5060	winupdate.exe	90
PID 5060 wrote to memory of 4792	5060	winupdate.exe	90
PID 5060 wrote to memory of 4792	5060	winupdate.exe	90
PID 5060 wrote to memory of 4268	5060	winupdate.exe	91
PID 5060 wrote to memory of 4268	5060	winupdate.exe	91
PID 5060 wrote to memory of 4268	5060	winupdate.exe	91
PID 4268 wrote to memory of 4852	4268	CCSETUP305.EXE	94
PID 4268 wrote to memory of 4852	4268	CCSETUP305.EXE	94

C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\99d2656e3599ba235242dc9763b3940b_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE
    "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"
      4⤵
      PID:4648
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:764
- - C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe
    "C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe
      "C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"
      4⤵
      Modifies security service
      Windows security bypass
      Disables RegEdit via registry modification
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\system32\pcaui.exe
        
        "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\CCSETUP305.EXE"
        6⤵
        
        PID:4852

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

72.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.209.201.84.in-addr.arpa

IN PTR

Response
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response
DNS

meteoreguy.no-ip.biz

winupdate.exe

Remote address:

8.8.8.8:53

Request

meteoreguy.no-ip.biz

IN A

Response

No results found

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

72.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

72.209.201.84.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz
8.8.8.8:53

meteoreguy.no-ip.biz

dns

winupdate.exe

66 B
126 B
1
1

DNS Request

meteoreguy.no-ip.biz

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery