Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
07/02/2025, 10:58
General
-
Target
JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe
-
Size
1.2MB
-
MD5
b64c82d841f0ca478ee4b052973ec8de
-
SHA1
1d6b7f8243fff0e5cd771e999c9098423e99eeb1
-
SHA256
32c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab
-
SHA512
1d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623
-
SSDEEP
12288:/V9QZXi5ITtw8xqm8LlO5/8h4+9Ymoxefl5QT5VVpJ5PCf/BPEsKZXCa6jpoLuJl:UTtNkoxBUJjTH6FyTKJ49HGjNA
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
DEVILSKARTEL
C2
murdak.no-ip.org:100
Mutex
DC_MUTEX-D4UU794
Attributes
-
InstallPath
MICROSOFTUPDATE.exe
-
gencode
oF.s0Pyx7UWi
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
rc4.plain
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 42 IoCs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 42 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 42 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\okfm4qjk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0D4.tmp"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\JaffaCakes118_b64c82d841f0ca478ee4b052973ec8de.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ipy9tn5z.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF671.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF670.tmp"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l6_o5any.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA37.tmp"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvc1dfgc.cmdline"8⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD73.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD62.tmp"9⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sknhpr5n.cmdline"10⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc187.tmp"11⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jggfmg5l.cmdline"12⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C8.tmp"13⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yey1qemk.cmdline"14⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53E.tmp"15⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kt7hlvn_.cmdline"16⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES781.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc780.tmp"17⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bmmmdmaj.cmdline"18⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES974.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc973.tmp"19⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qilxnil-.cmdline"20⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB57.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB56.tmp"21⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u04s5soq.cmdline"22⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4A.tmp"23⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7n6e_kih.cmdline"24⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1E.tmp"25⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\or5cwfl1.cmdline"26⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10B3.tmp"27⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8sazo5k7.cmdline"28⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1279.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1278.tmp"29⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjlf0ddr.cmdline"30⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc144C.tmp"31⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ryiirqad.cmdline"32⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1611.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1610.tmp"33⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r26pq0at.cmdline"34⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17B5.tmp"35⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jbtx9rro.cmdline"36⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc197A.tmp"37⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdzu42u_.cmdline"38⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B2F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B2E.tmp"39⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\urzh2lls.cmdline"40⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CD5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CD4.tmp"41⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ee3z6ara.cmdline"42⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E69.tmp"43⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ejgd4cu.cmdline"44⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2000.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1FFF.tmp"45⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jyi1gpos.cmdline"46⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2176.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2175.tmp"47⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rstp5tre.cmdline"48⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc22FB.tmp"49⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vpkq0cgx.cmdline"50⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24A1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc24A0.tmp"51⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s1mjuc60.cmdline"52⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2637.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2636.tmp"53⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe52⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-6ez1gco.cmdline"54⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27BD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27AC.tmp"55⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pu5tpo4b.cmdline"56⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2933.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2932.tmp"57⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe56⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wehbh9gv.cmdline"58⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2AC8.tmp"59⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe58⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1v6fbcop.cmdline"60⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C3E.tmp"61⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbsn7vv_.cmdline"62⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E12.tmp"63⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe62⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uolhamr-.cmdline"64⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FD7.tmp"65⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i5mywysb.cmdline"66⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc319B.tmp"67⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe66⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"67⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n-6cwtki.cmdline"68⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3341.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3340.tmp"69⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe68⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"69⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kk7twmnk.cmdline"70⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3506.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3505.tmp"71⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe70⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"71⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bw3busw-.cmdline"72⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES368C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc368B.tmp"73⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"73⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\knhhgzwh.cmdline"74⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3850.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc384F.tmp"75⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe74⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"75⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r9fmwyrh.cmdline"76⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A04.tmp"77⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe76⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"77⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9xb3erfa.cmdline"78⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BC9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3BB9.tmp"79⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe78⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"79⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ajvcobx0.cmdline"80⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D11.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D10.tmp"81⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe80⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"81⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ylu3qlwl.cmdline"82⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EE4.tmp"83⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe82⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"83⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tye-zakn.cmdline"84⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES408A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4089.tmp"85⤵
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\MICROSOFTUPDATE.exe84⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\MICROSOFTUPDATE.exe"C:\Windows\system32\MICROSOFTUPDATE.exe"85⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52543318c4064137ab1e3b4f386cac286
SHA1d5773334d857569d9fa2cb7990ebf2fa47bafff0
SHA2564e28d3f86d2071e07c73f7e59bf1ad48585efba01785b81a6c79cff18b137115
SHA51201b89e325445fee4b66f6d3306d6609d78c927168a92d727d7d8c5b43322b57a937af984bd5b84a8c70b6adfe9d9ccbbcf28b5d777a6ac0806e55db38a319db4
-
Filesize
1KB
MD5237ecb06474534051cc62e444e96216b
SHA17f16e5a2a806a98678c7870ff329eb50c5d149ca
SHA25601370e51162644e0f340b156183d3476d392457357277d0985ea5534006626f9
SHA5122c1e18896b639fd2e4ec16ace8ebf8771b9d7d8a2b28fbff4abe4a6c353c0007f50a2d8190ce6682bff7535c3f92d402dbbbb8beb92985caaabf81faf0a34099
-
Filesize
1KB
MD5da10c67cef61989271389d5cb7770e41
SHA131c5dcc027d5039fba74a0f28fc1c0fdcbdcd4ca
SHA256515f8cfef962fe1875bf08bd961288edc708126e3ceb9ced9e76fc02aa18a32b
SHA51247e6b831f451dbbab6c50eb8f34c0a6fb976da4f7e1da851da60bfe37530d62c9504106c2e7286a8ea8941c3a12d5726b8a47342fd5257aff0cf0cfd1dd6d86f
-
Filesize
1KB
MD5af842e5fe432eee60d1d31c5978e83e6
SHA192688c69925218f7a53c85088e003bc5e5f10448
SHA256b765cdfd1714d896487978a85efcd6eb52b4575d2c3de0f23d9c2c4317c3032e
SHA5120b6e98921d6480fd5b0567f5cf6afac9cc338f4698461e08e0f02823f895b64ff3fe7aff739904c28311ca5ca5eab43b2bd3f1c8fccfce0e673bc38331fe3bee
-
Filesize
246B
MD53fe1eba5bf381902152385fbbb8aa9d8
SHA17b8b6487d4e7ef2d6006fff6275ae2f7a76c0d2a
SHA256f1d2e1e8e4669d0ce6672a6e4582171af8f0392fca11d7b8de6cef65f20e02f4
SHA512675ea357c0a125cbbe933d8909328103286eb75b3595ee2e1bd02d4a3f4b7a41e843f70b121284c7ebd4b888d93c1daf7a35750cb584d2fc9bb8e5ef7ab38208
-
Filesize
6KB
MD5a7feb14d745fe607358430777cc80f62
SHA17eea991d5b60959ff5037192fcaa208fc47cd62d
SHA256bfc6f5ce527c669c633ec4d7bdbeb1a15dfb02cf3462a769d6992dde8eeecc71
SHA5129dddd44b89fc6c9d6b1f12b4bdfdcc4699642834ed24200bf3ffb2c1f302e6d144c293323a82f318a5e91619026271fc1f2d031414c8038ca4a80d415719e363
-
Filesize
246B
MD520282684a8d69e5acba249ee25c2bb61
SHA1680b9e214ef54c498ca185e66faa1ffc147b8475
SHA25622249cbbfba69f3f33dd2c8858e79ffb4e7c7170b080342d97f4649ea39b3bb0
SHA5123fc8903c2325d0203888f651a98b250553adc4dc0e98e0af60c2ae94660bd0825a5369e7601f55ff149279cb236c30363d59e3db433255a8fc42257fe43b6897
-
Filesize
6KB
MD525085ce879dbb456dfdeb51bbc52e0ff
SHA130f1c097af5a49542013c61e3d0e692eaa1b7535
SHA256561a108067ab3314ac34c61909fc105606a5e473898713ac5b2dcf4dd8d510ff
SHA51254fbcac31f911c69602a94e29842bff35d6b496e64b06862e9828447a32de2b74cb5ccef1823862543ed59dc9329e6dc7da229afac5c8af8ec7754fc25111851
-
Filesize
246B
MD5981065c3b974d228f2a5bdd84174eba0
SHA1d0dc97e7a420ffeab9916efc7a9c8d7c8cc6775a
SHA256d0d6bffae8a0aa67a8a18e0c62fef3851186befc1da220dd27b2997c0d5fef63
SHA512152bc8f690c517a69e290e355d251a75d683719323ce8d331dc3ae502685990dade95e961c19eb78cfe0c27bd20211626c22a9cfcf403144be572c41f2817f80
-
Filesize
6KB
MD58fee55d4820de791f994e01c2a04cd78
SHA1e66da0abb0a3dc31be02250ea0de762f931fb90d
SHA25642e253d22f1cd948c3711d241857aa1a17f759e6403aff76d853cbebf82a3e8d
SHA512832d597c8efcf594792265873106b6621cc772abfc8ddaaf1f20ab35ba389382b7a19e7674c723c46d47e64f9978d421bc03eb7aa5dde1b404a882921feed148
-
Filesize
682B
MD5d75bfbe0fa5d960574a8efc837185f48
SHA1cea7f249ae87d69c4915dbe2159b6c53091a7b4a
SHA256ef55874d0838b3194bcf3828381c132229825db8c638002bed8402f235e45625
SHA51202924da7fa09e20ca59dcd6557b1f6d0a016b302f42ee0ec15fa9d080c0476afec19c84622fa496ad02a58b60fa7bdc3fd5305b1401426f0e014fbda9edf076f
-
Filesize
246B
MD5a7c425558e6d8e5bba2353c1f0e9f5b0
SHA11945917be47d7d2e2110d289891fa57f1e9f8e20
SHA256c922d05e7bac8eb33bcb24a0dc789c64d9e6617cc37b446cba415b7568afe7da
SHA51265d1d5441a57fd91ff8b0002b83dd8e6604fdb1919112204c8f4e6cc3ae5e79ecac769320e4c4d17b29580a834e6af08b4d9fa0ed2510fe1f6966004eba9d987
-
Filesize
6KB
MD5c1982485e2cc2d32073b85f8733a2b4c
SHA117798290855afa184492c53b267ddef571f09055
SHA256e9290e73953374866c6aa858230a56ef1ea763acf54aef532eb98e3ea5ab8723
SHA51218e3ac2d5aa430a5ae55ff3459a11d6ddc3674c6dec72d139ee395e3d107c2be3017c783f19e245ae98549dff9945eb7bddde97b3b7469e4a1a9e3e7aabf9f2e
-
Filesize
246B
MD56b03d54de5c9fb9e6cec26627d16fd71
SHA14c9430286b744f429c6b80e81e7b676d891a91a8
SHA2569700e5d2f42b886244e2d84b870f06dbe3f22302490943658ff127268721fa04
SHA51261049546927273bd38a0f586b29924cdb9f99d651a52e87c86dd393e25205f928ba1dd864d5c871c0e6aa133a57fff0ebb386c6e8a70cc9b4ae294fdf40ec72c
-
Filesize
652B
MD5a7797a6adb66eecbba4f75c97c553adb
SHA14098ab64df7aa3b2b779dc182451702236b6cf99
SHA2569ac95b7bba85f690fd90c6e01c52404616b7e9aa5f1776367945c535102bcc91
SHA512c669c0e8f1de54e029d888a973afe024cd702931e446b20f811aef3b9813a6357f486cd2e1dee436a2b6ab44ddeacf5145ed469fb76e34662e4684125a1abfcb
-
Filesize
652B
MD5901bf410d1099fe25aa2831f0f791dbb
SHA14b4e16047f56a7b51a61a444f4c105928858f672
SHA256da2681d3ee8ec9a63c9516029a74dcc24c5dcddca37dbe8257e76e13790c4add
SHA51231aa8342dd2265f659c55a5f47786fc99e46f72206896f7c2b6c052e8b3d885852def7c68d823a72bf88d46a297890e65bc49b38be5bb15509aa08f599ffe0c6
-
Filesize
652B
MD503f3b9974877c7da138cd50c6477243e
SHA16dca610ba38e14bbc58f510c14c8c66a4adbbc3d
SHA2568309851154dae82a74a6ee8f841e9fd6aa71b2d6690cdd690c8b2e855a84674d
SHA512f019d33d97b6f60ca7d465383eaf956f760c57e58ca0b88c1c97910134ec7d295d4e9d8ceee068593c1b7fce415b0465a9ca13c7009ef87854b92df3a320e1fc
-
Filesize
652B
MD58063aa4372cde9aaf086dcfb98ad65e8
SHA1b1632539ffbbb2da333d5dd3824fb570cfdef82d
SHA25668d078422d6e0417c85c28ce88577037b3f196d9039e7f2fab1a763f7bb0459a
SHA5123b46f31077eee250dd3925297d7b436e60c48fa341be0bb855bf64ef122c799096223c889af5e04d4ee5c9e916adeddb14b6ad2f096fd2c6eafcc029332e1356
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.2MB
MD5b64c82d841f0ca478ee4b052973ec8de
SHA11d6b7f8243fff0e5cd771e999c9098423e99eeb1
SHA25632c7f3af9df7f9d50047f168e069bd4e06122efe825db2dd0fae34e2c05ce9ab
SHA5121d9bfe0e21a6c1639eaa908fef16d3d6777fd0fb08ccd3c014600449fb5df8977fa58986a2afa49c4971b18f63ab802fa779d70e78d4fc3da7314dfbe5c38623
-
Filesize
1024B
MD554b1c45da8980b32759042e2c3c78dfb
SHA111e8bc2db98786c69e5dadf53d00ff3ee03d64f8
SHA2569d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773
SHA51273169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB
-
Filesize
732KB