darkcomet | 09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Size

1.3MB
MD5

ae1a4ed9fdf3d21b149b05ca0173ca31
SHA1

efedb00400642be3a9aae8647ec4aa72fb505917
SHA256

09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1
SHA512

ca0562dcbc315090d006ff2c09555a8c9e3dbb2ac474d1c57a07d1a38cb472cd9a681dc70a46f772a16f9d2d14bdb15d81b0bc98066c01a0d89f449bf6d51bb1
SSDEEP

24576:YNhT2DtCMtThZG1r9xoGY+kgmzbp0hDQqLuyYWxy:MDQojLYMm/pEDDLuWxy

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 46 IoCs

pid	Process
2836	winupdate.exe
2680	winupdate.exe
1972	winupdate.exe
2724	winupdate.exe
1964	winupdate.exe
1724	winupdate.exe
1776	winupdate.exe
3036	winupdate.exe
2356	winupdate.exe
2284	winupdate.exe
1640	winupdate.exe
2520	winupdate.exe
444	winupdate.exe
696	winupdate.exe
2280	winupdate.exe
2000	winupdate.exe
2840	winupdate.exe
2500	winupdate.exe
2880	winupdate.exe
2744	winupdate.exe
820	winupdate.exe
1452	winupdate.exe
2960	winupdate.exe
1796	winupdate.exe
856	winupdate.exe
1432	winupdate.exe
2028	winupdate.exe
2608	winupdate.exe
1744	winupdate.exe
2672	winupdate.exe
1908	winupdate.exe
2964	winupdate.exe
2732	winupdate.exe
1800	winupdate.exe
1992	winupdate.exe
1584	winupdate.exe
3048	winupdate.exe
1900	winupdate.exe
2924	winupdate.exe
2780	winupdate.exe
2272	winupdate.exe
1728	winupdate.exe
640	winupdate.exe
2960	winupdate.exe
1648	winupdate.exe
2224	winupdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
2836	winupdate.exe
2836	winupdate.exe
2836	winupdate.exe
2836	winupdate.exe
2680	winupdate.exe
2680	winupdate.exe
2680	winupdate.exe
2680	winupdate.exe
1972	winupdate.exe
1972	winupdate.exe
1972	winupdate.exe
1972	winupdate.exe
2724	winupdate.exe
2724	winupdate.exe
2724	winupdate.exe
2724	winupdate.exe
1964	winupdate.exe
1964	winupdate.exe
1964	winupdate.exe
1964	winupdate.exe
1724	winupdate.exe
1724	winupdate.exe
1724	winupdate.exe
1724	winupdate.exe
1776	winupdate.exe
1776	winupdate.exe
1776	winupdate.exe
1776	winupdate.exe
3036	winupdate.exe
3036	winupdate.exe
3036	winupdate.exe
3036	winupdate.exe
2356	winupdate.exe
2356	winupdate.exe
2356	winupdate.exe
2356	winupdate.exe
2284	winupdate.exe
2284	winupdate.exe
2284	winupdate.exe
2284	winupdate.exe
1640	winupdate.exe
1640	winupdate.exe
1640	winupdate.exe
1640	winupdate.exe
2520	winupdate.exe
2520	winupdate.exe
2520	winupdate.exe
2520	winupdate.exe
444	winupdate.exe
444	winupdate.exe
444	winupdate.exe
444	winupdate.exe
696	winupdate.exe
696	winupdate.exe
696	winupdate.exe
696	winupdate.exe
2280	winupdate.exe
2280	winupdate.exe
2280	winupdate.exe
2280	winupdate.exe
2000	winupdate.exe
2000	winupdate.exe
2000	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1972	winupdate.exe
1776	winupdate.exe
2356	winupdate.exe
2280	winupdate.exe
2880	winupdate.exe
640	winupdate.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2836 set thread context of 2680	2836	winupdate.exe	36
PID 1972 set thread context of 2724	1972	winupdate.exe	40
PID 1964 set thread context of 1724	1964	winupdate.exe	46
PID 1776 set thread context of 3036	1776	winupdate.exe	50
PID 2356 set thread context of 2284	2356	winupdate.exe	55
PID 1640 set thread context of 2520	1640	winupdate.exe	61
PID 444 set thread context of 696	444	winupdate.exe	66
PID 2280 set thread context of 2000	2280	winupdate.exe	70
PID 2840 set thread context of 2500	2840	winupdate.exe	76
PID 2880 set thread context of 2744	2880	winupdate.exe	80
PID 820 set thread context of 1452	820	winupdate.exe	85
PID 2960 set thread context of 1796	2960	winupdate.exe	90
PID 856 set thread context of 1432	856	winupdate.exe	96
PID 2028 set thread context of 2608	2028	winupdate.exe	101
PID 1744 set thread context of 2672	1744	winupdate.exe	106
PID 1908 set thread context of 2964	1908	winupdate.exe	110
PID 2732 set thread context of 1800	2732	winupdate.exe	116
PID 1992 set thread context of 1584	1992	winupdate.exe	120
PID 3048 set thread context of 1900	3048	winupdate.exe	126
PID 2924 set thread context of 2780	2924	winupdate.exe	131
PID 2272 set thread context of 1728	2272	winupdate.exe	136
PID 640 set thread context of 2960	640	winupdate.exe	140
PID 1648 set thread context of 2224	1648	winupdate.exe	146

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 23 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2488	PING.EXE
2816	PING.EXE
920	PING.EXE
1848	PING.EXE
2280	PING.EXE
444	PING.EXE
1464	PING.EXE
2080	PING.EXE
816	PING.EXE
1800	PING.EXE
1592	PING.EXE
2264	PING.EXE
1528	PING.EXE
1076	PING.EXE
2664	PING.EXE
444	PING.EXE
2772	PING.EXE
1620	PING.EXE
1900	PING.EXE
2920	PING.EXE
812	PING.EXE
2452	PING.EXE
1464	PING.EXE

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
2080	PING.EXE
2488	PING.EXE
812	PING.EXE
1076	PING.EXE
1848	PING.EXE
1528	PING.EXE
2772	PING.EXE
2816	PING.EXE
2664	PING.EXE
2280	PING.EXE
1464	PING.EXE
2264	PING.EXE
1800	PING.EXE
2920	PING.EXE
1592	PING.EXE
2452	PING.EXE
1620	PING.EXE
816	PING.EXE
1900	PING.EXE
444	PING.EXE
920	PING.EXE
444	PING.EXE
1464	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSecurityPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeBackupPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeRestorePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeShutdownPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeDebugPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeUndockPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 33	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 34	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 35	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeRestorePrivilege	2836	winupdate.exe
Token: SeBackupPrivilege	2836	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2680	winupdate.exe
Token: SeSecurityPrivilege	2680	winupdate.exe
Token: SeTakeOwnershipPrivilege	2680	winupdate.exe
Token: SeLoadDriverPrivilege	2680	winupdate.exe
Token: SeSystemProfilePrivilege	2680	winupdate.exe
Token: SeSystemtimePrivilege	2680	winupdate.exe
Token: SeProfSingleProcessPrivilege	2680	winupdate.exe
Token: SeIncBasePriorityPrivilege	2680	winupdate.exe
Token: SeCreatePagefilePrivilege	2680	winupdate.exe
Token: SeBackupPrivilege	2680	winupdate.exe
Token: SeRestorePrivilege	2680	winupdate.exe
Token: SeShutdownPrivilege	2680	winupdate.exe
Token: SeDebugPrivilege	2680	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2680	winupdate.exe
Token: SeChangeNotifyPrivilege	2680	winupdate.exe
Token: SeRemoteShutdownPrivilege	2680	winupdate.exe
Token: SeUndockPrivilege	2680	winupdate.exe
Token: SeManageVolumePrivilege	2680	winupdate.exe
Token: SeImpersonatePrivilege	2680	winupdate.exe
Token: SeCreateGlobalPrivilege	2680	winupdate.exe
Token: 33	2680	winupdate.exe
Token: 34	2680	winupdate.exe
Token: 35	2680	winupdate.exe
Token: SeRestorePrivilege	2680	winupdate.exe
Token: SeBackupPrivilege	2680	winupdate.exe
Token: SeRestorePrivilege	1972	winupdate.exe
Token: SeBackupPrivilege	1972	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2724	winupdate.exe
Token: SeSecurityPrivilege	2724	winupdate.exe
Token: SeTakeOwnershipPrivilege	2724	winupdate.exe
Token: SeLoadDriverPrivilege	2724	winupdate.exe
Token: SeSystemProfilePrivilege	2724	winupdate.exe
Token: SeSystemtimePrivilege	2724	winupdate.exe
Token: SeProfSingleProcessPrivilege	2724	winupdate.exe
Token: SeIncBasePriorityPrivilege	2724	winupdate.exe
Token: SeCreatePagefilePrivilege	2724	winupdate.exe
Token: SeBackupPrivilege	2724	winupdate.exe
Token: SeRestorePrivilege	2724	winupdate.exe
Token: SeShutdownPrivilege	2724	winupdate.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
2836	winupdate.exe
2836	winupdate.exe
1972	winupdate.exe
1972	winupdate.exe
1964	winupdate.exe
1964	winupdate.exe
1776	winupdate.exe
1776	winupdate.exe
2356	winupdate.exe
2356	winupdate.exe
1640	winupdate.exe
1640	winupdate.exe
444	winupdate.exe
444	winupdate.exe
2280	winupdate.exe
2280	winupdate.exe
2840	winupdate.exe
2840	winupdate.exe
2880	winupdate.exe
2880	winupdate.exe
820	winupdate.exe
820	winupdate.exe
2960	winupdate.exe
2960	winupdate.exe
856	winupdate.exe
856	winupdate.exe
2028	winupdate.exe
2028	winupdate.exe
1744	winupdate.exe
1744	winupdate.exe
1908	winupdate.exe
1908	winupdate.exe
2732	winupdate.exe
2732	winupdate.exe
1992	winupdate.exe
1992	winupdate.exe
3048	winupdate.exe
3048	winupdate.exe
2924	winupdate.exe
2924	winupdate.exe
2272	winupdate.exe
2272	winupdate.exe
640	winupdate.exe
640	winupdate.exe
1648	winupdate.exe
1648	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2420	2408	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2836	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	32
PID 2420 wrote to memory of 2900	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2900	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2900	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2900	2420	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2772	2900	cmd.exe	35
PID 2900 wrote to memory of 2772	2900	cmd.exe	35
PID 2900 wrote to memory of 2772	2900	cmd.exe	35
PID 2900 wrote to memory of 2772	2900	cmd.exe	35
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2836 wrote to memory of 2680	2836	winupdate.exe	36
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1972	2680	winupdate.exe	37
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 2680 wrote to memory of 1688	2680	winupdate.exe	38
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40
PID 1972 wrote to memory of 2724	1972	winupdate.exe	40

C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
    "C:\Windows\system32\Windowsupdate\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1724
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3036
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2284
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2520
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:696
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2000
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2500
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2744
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1452
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1796
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1432
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2608
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2672
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2964
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1800
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1584
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1900
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2780
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1728
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2960
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        48⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        43⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        44⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        42⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        40⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        38⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        21⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        15⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        7⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
82B

MD5
161109f79808cfb6a41a419e9c0e94a8

SHA1
9e8191ceeaaa07868efe2a90ad9179902509c6e2

SHA256
1f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a

SHA512
6c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
119B

MD5
309a4c299bfde9b63b5d388b17eb36fc

SHA1
84a88f3bf02e61919ffdfabeb6011a0da7929148

SHA256
88a34b8e11bbdec1cba4c4e1fa57fc5a6259df0fc1e4f127fa25b2d31b1fedf8

SHA512
df38c0cd6241fb7e50be44b7a6e2a57ed42165c48e6f7b372f23b1c4c1ef2f106d99d911256d0f87587567350a9d25e9017995a9e216e959fe6b406852ab6395

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
1.3MB

MD5
ae1a4ed9fdf3d21b149b05ca0173ca31

SHA1
efedb00400642be3a9aae8647ec4aa72fb505917

SHA256
09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1

SHA512
ca0562dcbc315090d006ff2c09555a8c9e3dbb2ac474d1c57a07d1a38cb472cd9a681dc70a46f772a16f9d2d14bdb15d81b0bc98066c01a0d89f449bf6d51bb1

Download Submit
\??\c:\users\admin\appdata\local\temp\724DC897

Filesize
14B

MD5
f8e17c19aa9c15af562cf385da2e313f

SHA1
fcf9001b781e05f2c50beb83b71eb7e10b64a03d

SHA256
4605f4aa5b91a98eccb97af1db025aaf870a10e022d91551e59b5197c877329a

SHA512
e038acee744bd055b225681651d0d79fb3c1af147fb8f9c4795936427bd23792f39f36c17ed8fdf29c5573715c0f21c17bd193e71c47c151c95e63acb53c4c25

Download Submit
memory/1724-215-0x0000000000C80000-0x000000000101A000-memory.dmp

Filesize
3.6MB

Download
memory/1964-217-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1964-183-0x0000000000D90000-0x000000000112A000-memory.dmp

Filesize
3.6MB

Download
memory/1964-213-0x00000000041A0000-0x000000000453A000-memory.dmp

Filesize
3.6MB

Download
memory/1964-184-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-121-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-120-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-206-0x00000000044C0000-0x000000000485A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-124-0x00000000011F0000-0x000000000158A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-115-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-143-0x00000000011F0000-0x000000000158A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-125-0x00000000011F0000-0x000000000158A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-148-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1972-155-0x00000000044C0000-0x000000000485A000-memory.dmp

Filesize
3.6MB

Download
memory/2408-0-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2408-26-0x0000000003C60000-0x0000000003FFA000-memory.dmp

Filesize
3.6MB

Download
memory/2408-29-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2408-2-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2408-3-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2420-6-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-10-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-25-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-24-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-51-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-20-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-19-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-14-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-8-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-30-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-31-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-32-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2420-39-0x0000000005B70000-0x0000000005F0A000-memory.dmp

Filesize
3.6MB

Download
memory/2680-95-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2680-100-0x0000000000B40000-0x0000000000EDA000-memory.dmp

Filesize
3.6MB

Download
memory/2680-88-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2680-111-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2680-99-0x0000000000B40000-0x0000000000EDA000-memory.dmp

Filesize
3.6MB

Download
memory/2680-97-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2680-98-0x0000000000B40000-0x0000000000EDA000-memory.dmp

Filesize
3.6MB

Download
memory/2680-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-157-0x0000000000B10000-0x0000000000EAA000-memory.dmp

Filesize
3.6MB

Download
memory/2724-156-0x0000000000B10000-0x0000000000EAA000-memory.dmp

Filesize
3.6MB

Download
memory/2836-65-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2836-89-0x0000000004610000-0x00000000049AA000-memory.dmp

Filesize
3.6MB

Download
memory/2836-44-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2836-96-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2836-60-0x0000000001310000-0x00000000016AA000-memory.dmp

Filesize
3.6MB

Download
memory/2836-61-0x0000000001310000-0x00000000016AA000-memory.dmp

Filesize
3.6MB

Download
memory/2836-64-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2836-58-0x0000000001310000-0x00000000016AA000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads