Overview

overview

10

Static

static

1

Apocalypse....4.rar

windows7-x64

10

Apocalypse....4.rar

windows10-2004-x64

1

Analysis

  • max time kernel
    53s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Apocalypse RAT 1.4.4.rar

  • Size

    2.6MB

  • MD5

    2dbd62a86821c748dd1b5d576a424668

  • SHA1

    d22a0071f27f1173c04d06fddacc318705f2a820

  • SHA256

    1272e2bacba1e801708f93cedb19fecf3b009633b46979730209672db9c53a21

  • SHA512

    ac781e1350b53d3eb4aeb0262130146fe2e3ee6dc67ac828820cec738e3b4cdfa32183f43f61ec11fee4fc83d63aca8089c5daa92aa1d1f5291e0775d7e5f223

  • SSDEEP

    49152:YTjYUZI02JpoOPiDnxTqQswz8d/glL1II3PBW2rIk5ywp54Qz7xvYM:EjYUHcpoftTqQJIcF3JW20YX4s7pH

Score
10/10
darkcometmodiloaderdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 64 IoCs
    persistence
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 6 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Apocalypse RAT 1.4.4.rar"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\7zO039A1BB6\Apocalypse RAT 1.4.4.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO039A1BB6\Apocalypse RAT 1.4.4.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\APOCALYPSE RAT 1.4.4.EXE
        "C:\Users\Admin\AppData\Local\Temp\APOCALYPSE RAT 1.4.4.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Admin\AppData\Local\Temp\APOCALYPSE RAT 1.4.4.exe
          "C:\Users\Admin\AppData\Local\Temp\APOCALYPSE RAT 1.4.4.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1808
          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
            "C:\Windows\system32\Windupdt\winupdate.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1560
            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2896
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • Adds Run key to start application
                PID:2236
              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                "C:\Windows\system32\Windupdt\winupdate.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:1636
                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2032
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad
                    9⤵
                    • Drops file in System32 directory
                    PID:1428
                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                    "C:\Windows\system32\Windupdt\winupdate.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:2788
                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      PID:2384
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        11⤵
                        • Adds Run key to start application
                        • Drops file in System32 directory
                        PID:3016
                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                        "C:\Windows\system32\Windupdt\winupdate.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Suspicious use of SetWindowsHookEx
                        PID:2344
                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Adds Run key to start application
                          PID:3000
                          • C:\Windows\SysWOW64\notepad.exe
                            notepad
                            13⤵
                            • Adds Run key to start application
                            PID:2188
                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                            "C:\Windows\system32\Windupdt\winupdate.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:984
                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                              14⤵
                              • Modifies WinLogon for persistence
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Adds Run key to start application
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              PID:644
                              • C:\Windows\SysWOW64\notepad.exe
                                notepad
                                15⤵
                                • System Location Discovery: System Language Discovery
                                PID:2956
                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • Suspicious use of SetWindowsHookEx
                                PID:2696
                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                  16⤵
                                  • Modifies WinLogon for persistence
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  PID:2612
                                  • C:\Windows\SysWOW64\notepad.exe
                                    notepad
                                    17⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:1420
                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2004
                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1732
                                      • C:\Windows\SysWOW64\notepad.exe
                                        notepad
                                        19⤵
                                          PID:2932
                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                          19⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1648
                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                            20⤵
                                            • Modifies WinLogon for persistence
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            PID:2328
                                            • C:\Windows\SysWOW64\notepad.exe
                                              notepad
                                              21⤵
                                              • Adds Run key to start application
                                              PID:2524
                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                              21⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1836
                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                22⤵
                                                • Modifies WinLogon for persistence
                                                • Executes dropped EXE
                                                PID:1764
                                                • C:\Windows\SysWOW64\notepad.exe
                                                  notepad
                                                  23⤵
                                                    PID:2284
                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                    23⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1724
                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                      24⤵
                                                      • Modifies WinLogon for persistence
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:2444
                                                      • C:\Windows\SysWOW64\notepad.exe
                                                        notepad
                                                        25⤵
                                                        • Adds Run key to start application
                                                        PID:1532
                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                        25⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:536
                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                          26⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:1648
                                                          • C:\Windows\SysWOW64\notepad.exe
                                                            notepad
                                                            27⤵
                                                              PID:1544
                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                              27⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2676
                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                28⤵
                                                                • Modifies WinLogon for persistence
                                                                • Executes dropped EXE
                                                                PID:2668
                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                  notepad
                                                                  29⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1948
                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                  29⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2192
                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                    30⤵
                                                                    • Modifies WinLogon for persistence
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2920
                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                      notepad
                                                                      31⤵
                                                                      • Adds Run key to start application
                                                                      PID:2596
                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                      31⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:536
                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                        32⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • Drops file in System32 directory
                                                                        PID:1848
                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                          notepad
                                                                          33⤵
                                                                          • Adds Run key to start application
                                                                          PID:2464
                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                          33⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1092
                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                            34⤵
                                                                            • Modifies WinLogon for persistence
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:1732
                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                              notepad
                                                                              35⤵
                                                                                PID:2160
                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                35⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:644
                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                  36⤵
                                                                                  • Modifies WinLogon for persistence
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  PID:2576
                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                    notepad
                                                                                    37⤵
                                                                                    • Adds Run key to start application
                                                                                    PID:2744
                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                    37⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1556
                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                      38⤵
                                                                                      • Modifies WinLogon for persistence
                                                                                      • Executes dropped EXE
                                                                                      • Adds Run key to start application
                                                                                      • Drops file in System32 directory
                                                                                      PID:2592
                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                        notepad
                                                                                        39⤵
                                                                                          PID:916
                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                          39⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2316
                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                            40⤵
                                                                                            • Modifies WinLogon for persistence
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1728
                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                              notepad
                                                                                              41⤵
                                                                                                PID:2712
                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                41⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:2360
                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                  42⤵
                                                                                                  • Modifies WinLogon for persistence
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2576
                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                    notepad
                                                                                                    43⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:1776
                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                    43⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:852
                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                      44⤵
                                                                                                      • Modifies WinLogon for persistence
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:2696
                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                        notepad
                                                                                                        45⤵
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:2756
                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                        45⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:2840
                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                          46⤵
                                                                                                          • Modifies WinLogon for persistence
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1772
                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                            notepad
                                                                                                            47⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:840
                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                            47⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:1764
                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                              48⤵
                                                                                                              • Modifies WinLogon for persistence
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:1692
                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                notepad
                                                                                                                49⤵
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:2248
                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                49⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:2608
                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                  50⤵
                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2920
                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                    notepad
                                                                                                                    51⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1740
                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                    51⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:404
                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                      52⤵
                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Adds Run key to start application
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:888
                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                        notepad
                                                                                                                        53⤵
                                                                                                                          PID:2132
                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                          53⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:1692
                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                            54⤵
                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:2988
                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                              notepad
                                                                                                                              55⤵
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:2652
                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                              55⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:2108
                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                56⤵
                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2104
                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                  notepad
                                                                                                                                  57⤵
                                                                                                                                    PID:2916
                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                    57⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:2856
                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                      58⤵
                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      PID:1992
                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                        notepad
                                                                                                                                        59⤵
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        PID:1556
                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                        59⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:2760
                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                          60⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:704
                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                            notepad
                                                                                                                                            61⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            PID:1476
                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                            61⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                            PID:2764
                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                              62⤵
                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              PID:2676
                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                notepad
                                                                                                                                                63⤵
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:1212
                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                63⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                PID:2852
                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                  64⤵
                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  PID:1708
                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                    notepad
                                                                                                                                                    65⤵
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    PID:1700
                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                    65⤵
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                    PID:1228
                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                      66⤵
                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:1436
                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                        notepad
                                                                                                                                                        67⤵
                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                        PID:1992
                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                        67⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:2408
                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                          68⤵
                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1968
                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                            notepad
                                                                                                                                                            69⤵
                                                                                                                                                              PID:1600
                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                              69⤵
                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                              PID:1696
                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                70⤵
                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                PID:1828
                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                  notepad
                                                                                                                                                                  71⤵
                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                  PID:2696
                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                  71⤵
                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                  PID:2408
                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                    72⤵
                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                    PID:3004
                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                      notepad
                                                                                                                                                                      73⤵
                                                                                                                                                                        PID:2280
                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                        73⤵
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                        PID:704
                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                          74⤵
                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                          PID:536
                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                            notepad
                                                                                                                                                                            75⤵
                                                                                                                                                                              PID:1708
                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                              75⤵
                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                              PID:2828
                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                76⤵
                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                PID:1360
                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                  notepad
                                                                                                                                                                                  77⤵
                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2588
                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                  77⤵
                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:2640
                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                    78⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:848
                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                      notepad
                                                                                                                                                                                      79⤵
                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                      PID:1088
                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                      79⤵
                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:992
                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                        80⤵
                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                        PID:2644
                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                          notepad
                                                                                                                                                                                          81⤵
                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                          PID:1960
                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                          81⤵
                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                          PID:1764
                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                            82⤵
                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:2768
                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                              notepad
                                                                                                                                                                                              83⤵
                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                              PID:2924
                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                              83⤵
                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                              PID:2052
                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                84⤵
                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:1976
                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                  notepad
                                                                                                                                                                                                  85⤵
                                                                                                                                                                                                    PID:1588
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                    85⤵
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                    PID:2260
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                      86⤵
                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:1492
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        notepad
                                                                                                                                                                                                        87⤵
                                                                                                                                                                                                          PID:2064
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                          87⤵
                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:1976
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                            88⤵
                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            PID:1644
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              notepad
                                                                                                                                                                                                              89⤵
                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                              PID:1696
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                              89⤵
                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:2576
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                90⤵
                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                PID:1240
                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  notepad
                                                                                                                                                                                                                  91⤵
                                                                                                                                                                                                                    PID:2604
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                    91⤵
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                    PID:2468
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                      92⤵
                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                        93⤵
                                                                                                                                                                                                                          PID:2780
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                          93⤵
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                          PID:888
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                            94⤵
                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              notepad
                                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                              PID:1632
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                              95⤵
                                                                                                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                              PID:2632
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                96⤵
                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                PID:992
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  notepad
                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                  PID:1360
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                  97⤵
                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:1228
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                    98⤵
                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                    PID:2260
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                      notepad
                                                                                                                                                                                                                                      99⤵
                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                      PID:2140
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                      99⤵
                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                      PID:2004
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                        100⤵
                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                        PID:1540
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                          notepad
                                                                                                                                                                                                                                          101⤵
                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                          PID:536
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                          101⤵
                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                          PID:1976
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                            102⤵
                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                              notepad
                                                                                                                                                                                                                                              103⤵
                                                                                                                                                                                                                                                PID:2480
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                PID:1828
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:1068
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                    PID:1880
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                      PID:992
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                                                          PID:2656
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                          107⤵
                                                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                          PID:3224
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                            108⤵
                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                            PID:3372
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                              notepad
                                                                                                                                                                                                                                                              109⤵
                                                                                                                                                                                                                                                                PID:3472
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                109⤵
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                PID:3652
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                  110⤵
                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                  PID:3796
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                    111⤵
                                                                                                                                                                                                                                                                      PID:3896
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                      111⤵
                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                      PID:4076
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                        112⤵
                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                        PID:828
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                          notepad
                                                                                                                                                                                                                                                                          113⤵
                                                                                                                                                                                                                                                                            PID:3132
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                            PID:3336
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                              114⤵
                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                              PID:3496
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                notepad
                                                                                                                                                                                                                                                                                115⤵
                                                                                                                                                                                                                                                                                  PID:3596
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                  115⤵
                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                  PID:3784
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                    116⤵
                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                    PID:3944
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                      notepad
                                                                                                                                                                                                                                                                                      117⤵
                                                                                                                                                                                                                                                                                        PID:4044
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                        117⤵
                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                        PID:1664
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                          118⤵
                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                          PID:3216
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                                                                                            119⤵
                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                            PID:3124
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                            119⤵
                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                            PID:3524
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                              120⤵
                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                              PID:3704
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                notepad
                                                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                PID:3832
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                121⤵
                                                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                PID:3968
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                  122⤵
                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                  PID:1228
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                                                    123⤵
                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                    PID:3116
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                    123⤵
                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                    PID:3332
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                      124⤵
                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                      PID:3560
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                        PID:3636
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                        125⤵
                                                                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                        PID:3820
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                          126⤵
                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                          PID:4028
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                            PID:2292
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                            PID:3164
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                              128⤵
                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                              PID:3228
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                notepad
                                                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                PID:3544
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:3744
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                  130⤵
                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                  PID:3936
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                                                                    131⤵
                                                                                                                                                                                                                                                                                                                      PID:3560
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                      131⤵
                                                                                                                                                                                                                                                                                                                        PID:888
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                          132⤵
                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                          PID:1656
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                                                                                                                            133⤵
                                                                                                                                                                                                                                                                                                                              PID:3424
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                              133⤵
                                                                                                                                                                                                                                                                                                                                PID:1240
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                  134⤵
                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                  PID:3508
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                                                                                    135⤵
                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    PID:3940
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                    135⤵
                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                    PID:3092
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                      136⤵
                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                      PID:3304
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                                                                                                                                        137⤵
                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                        PID:3448
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                        137⤵
                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                        PID:3512
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                          138⤵
                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                          PID:880
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                                                                                                                                            139⤵
                                                                                                                                                                                                                                                                                                                                              PID:3992
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                              139⤵
                                                                                                                                                                                                                                                                                                                                                PID:3944
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                  140⤵
                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                  PID:3308
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                                                                                                    141⤵
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    PID:888
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                    141⤵
                                                                                                                                                                                                                                                                                                                                                      PID:3844
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                        142⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                        PID:3924
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                          notepad
                                                                                                                                                                                                                                                                                                                                                          143⤵
                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:1976
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                          143⤵
                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                          PID:3184
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                            144⤵
                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                            PID:4040
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                              notepad
                                                                                                                                                                                                                                                                                                                                                              145⤵
                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                              PID:1228
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                              145⤵
                                                                                                                                                                                                                                                                                                                                                                PID:3848
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                  146⤵
                                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                  PID:2936
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                    notepad
                                                                                                                                                                                                                                                                                                                                                                    147⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2892
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                      147⤵
                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                      PID:3284
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                        148⤵
                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                        PID:3344
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                          notepad
                                                                                                                                                                                                                                                                                                                                                                          149⤵
                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                          PID:3748
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                          149⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3744
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                              150⤵
                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                              PID:3140
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                notepad
                                                                                                                                                                                                                                                                                                                                                                                151⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:3276
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                                  151⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:3720
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                                      152⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                      PID:3904
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                        notepad
                                                                                                                                                                                                                                                                                                                                                                                        153⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:4060
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                                        153⤵
                                                                                                                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                        PID:3524
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                                          154⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                          PID:3168
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                            notepad
                                                                                                                                                                                                                                                                                                                                                                                            155⤵
                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                            PID:3684
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                                                                                                                                                                                                                                            155⤵
                                                                                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                                            PID:3996
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                            155⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:4000
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                          153⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3288
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                        151⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:3612
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                      149⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:4040
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                    147⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:3500
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                  145⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:3908
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                                143⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:3204
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                              141⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3492
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                            139⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3076
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                          137⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3620
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                        135⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1640
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                      133⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3668
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                    131⤵
                                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                    PID:2856
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                                129⤵
                                                                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                                PID:3772
                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                            127⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3172
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                          125⤵
                                                                                                                                                                                                                                                                                                                                                            PID:3824
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                        123⤵
                                                                                                                                                                                                                                                                                                                                                          PID:992
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                      121⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3788
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                    119⤵
                                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                                    PID:3532
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                                117⤵
                                                                                                                                                                                                                                                                                                                                                  PID:1540
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                              115⤵
                                                                                                                                                                                                                                                                                                                                                PID:3792
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                            113⤵
                                                                                                                                                                                                                                                                                                                                              PID:3356
                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                          111⤵
                                                                                                                                                                                                                                                                                                                                            PID:4084
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                        109⤵
                                                                                                                                                                                                                                                                                                                                          PID:3660
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                      107⤵
                                                                                                                                                                                                                                                                                                                                        PID:3232
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                                    PID:2380
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                                                                                                                                  PID:2512
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                              101⤵
                                                                                                                                                                                                                                                                                                                                PID:1400
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                            99⤵
                                                                                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                            PID:2828
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                        97⤵
                                                                                                                                                                                                                                                                                                                          PID:2360
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                      95⤵
                                                                                                                                                                                                                                                                                                                        PID:2560
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                                                                                                                                      PID:2708
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                  91⤵
                                                                                                                                                                                                                                                                                                                    PID:2676
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                                89⤵
                                                                                                                                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                                PID:344
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                            87⤵
                                                                                                                                                                                                                                                                                                              PID:1620
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                          85⤵
                                                                                                                                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                                          PID:704
                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                      83⤵
                                                                                                                                                                                                                                                                                                        PID:1032
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                    81⤵
                                                                                                                                                                                                                                                                                                      PID:2764
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                  79⤵
                                                                                                                                                                                                                                                                                                    PID:1552
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                                77⤵
                                                                                                                                                                                                                                                                                                  PID:464
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                              75⤵
                                                                                                                                                                                                                                                                                                PID:756
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                            73⤵
                                                                                                                                                                                                                                                                                              PID:2692
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                          71⤵
                                                                                                                                                                                                                                                                                            PID:444
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                        69⤵
                                                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                                        PID:404
                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                                      PID:2448
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                  65⤵
                                                                                                                                                                                                                                                                                    PID:844
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                                63⤵
                                                                                                                                                                                                                                                                                  PID:2800
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                              61⤵
                                                                                                                                                                                                                                                                                PID:2832
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                            59⤵
                                                                                                                                                                                                                                                                              PID:892
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                          57⤵
                                                                                                                                                                                                                                                                            PID:2172
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                        55⤵
                                                                                                                                                                                                                                                                          PID:2940
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                      53⤵
                                                                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                                      PID:2068
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                  51⤵
                                                                                                                                                                                                                                                                    PID:2888
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                                49⤵
                                                                                                                                                                                                                                                                  PID:1996
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                                                                PID:1660
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                            45⤵
                                                                                                                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                            PID:1784
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                        43⤵
                                                                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                        PID:2400
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                    41⤵
                                                                                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                                    PID:1832
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                  PID:2156
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                              37⤵
                                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                              PID:1404
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                          35⤵
                                                                                                                                                                                                                                            PID:2036
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                          PID:1160
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                        PID:3012
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                    29⤵
                                                                                                                                                                                                                                      PID:324
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                    PID:2028
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                  PID:532
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                              23⤵
                                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                              PID:480
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                          21⤵
                                                                                                                                                                                                                            PID:2948
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                          PID:1584
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                      PID:1080
                                                                                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                  15⤵
                                                                                                                                                                                                                    PID:2732
                                                                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                  PID:1516
                                                                                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                PID:1456
                                                                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:2772
                                                                                                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                            PID:336
                                                                                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                                                                        PID:680
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                    PID:2680
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\CLIENT.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\CLIENT.exe"
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                      PID:2804

                                                                                                                                                                                              Network

                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                              Downloads

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zO039A1BB6\Apocalypse RAT 1.4.4.exe
                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4.3MB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                26295ff8ffdc3cbd12c5eae3be818f82

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                f652b980d3f7b7b4df71e125a86a99a017a24593

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                4337fe6f7aca625c6b95fb9b5541428bf91f42d76319e6da0f6778bd7c6f0818

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                6625e6d1ddf0695f8cfd4783462046dcc82f26ef2bb2867af1199af46bb33e6adba97489e2add56b744043e34815d155c097fca8d6ef2b28ccd18b405011957d

                                                                                                                                                                                                Download Submit

                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\APOCALYPSE RAT 1.4.4.EXE
                                                                                                                                                                                                Filesize

                                                                                                                                                                                                679KB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                f4500568f2d3da39fb7fa68e658fef35

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                8e47b5420e2fa4ef46722bffad0d092ce98daa6a

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                bec917b0da6f4298be236e8b14c4b05a25c1deb92db294ec121a4a21098859f1

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                9ab66e4a87b7288a0d11c422ea3a70a8c432f0080735ef04ec42bfa9475eb8d176894b061c2bff75939d2e56d780ec506a938f5788838128498665f18853c51d

                                                                                                                                                                                                Download Submit

                                                                                                                                                                                              • \Users\Admin\AppData\Local\Temp\CLIENT.EXE
                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                MD5

                                                                                                                                                                                                a6d6041eb78a8c1b0eb8691d3f6745e5

                                                                                                                                                                                                SHA1

                                                                                                                                                                                                e032477a31273fe8e2a3367f5c50f7a394a0baf2

                                                                                                                                                                                                SHA256

                                                                                                                                                                                                bcffb0f5d3fcbe3130da2b2b29bc4c5276a926f63a4f6fc8a6a7062e7f4a9d38

                                                                                                                                                                                                SHA512

                                                                                                                                                                                                288f1b87697c35871ba380d1dfddb79e9620620a7022649ade33a858f2152446fdeb8c7e86d4ed464410a44f32c62cc35179c492ff9e206fffb43d371e1acbaa

                                                                                                                                                                                                Download Submit

                                                                                                                                                                                              • memory/1808-77-0x0000000000080000-0x0000000000081000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-28-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-75-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-41-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-39-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-36-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-34-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-32-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-30-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-44-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                4KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2736-26-0x0000000013140000-0x00000000131F6000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                728KB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-57-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-72-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-69-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-67-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-65-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-63-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-61-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-59-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download

                                                                                                                                                                                              • memory/2804-74-0x0000000000400000-0x000000000076E000-memory.dmp

                                                                                                                                                                                                Filesize

                                                                                                                                                                                                3.4MB

                                                                                                                                                                                                Download