Overview

overview

10

Static

static

5

JaffaCakes...a2.exe

windows7-x64

10

JaffaCakes...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2025, 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_21d622626b25c17e938eb187443407a2.exe

  • Size

    789KB

  • MD5

    21d622626b25c17e938eb187443407a2

  • SHA1

    43f935f2449c40b024f664f94c2b523f783f77aa

  • SHA256

    c90479e3c119aeeb0f48e665d648033ce8e7125a345ce78f7b71c12cf55f3720

  • SHA512

    b396032b3f78e37bdddf5b3c7c853d9c5ad9ef9171305d7f0684709f25a5142fe155f2c4c8e1c0f7e13e0f0193dbcab5d1ecb13375718a4262ce66ecadac4bcf

  • SSDEEP

    24576:ej1Q2vvcjNrMbwT67tUP/3mXJYX7TwBimh/F2x:c1Q2vkjN4e6JUP/3YiXHaiAAx

Score
10/10
darkcometrunescapediscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

RUNESCAPE

C2

kaizuma911.zapto.org:1604

Mutex

DC_MUTEX-JLH7DEA

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    q8D�XJAZmQgV

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    winupdater

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 33 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 55 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 32 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21d622626b25c17e938eb187443407a2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21d622626b25c17e938eb187443407a2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21d622626b25c17e938eb187443407a2.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21d622626b25c17e938eb187443407a2.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:3208
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Checks BIOS information in registry
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3744
      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
        "C:\Windows\system32\Windupdt\winupdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:3684
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2404
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            5⤵
              PID:3232
            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
              "C:\Windows\system32\Windupdt\winupdate.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:4044
              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                6⤵
                • Modifies WinLogon for persistence
                • Checks BIOS information in registry
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Enumerates system info in registry
                PID:4340
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  7⤵
                  • Adds Run key to start application
                  PID:4276
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\SysWOW64\explorer.exe"
                  7⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:2220
                  • C:\Windows\SysWOW64\explorer.exe
                    "C:\Windows\SysWOW64\explorer.exe"
                    8⤵
                    • Checks BIOS information in registry
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    PID:452
                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                  "C:\Windows\system32\Windupdt\winupdate.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:952
                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                    8⤵
                    • Modifies WinLogon for persistence
                    • Checks BIOS information in registry
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Enumerates system info in registry
                    PID:1952
                    • C:\Windows\SysWOW64\notepad.exe
                      notepad
                      9⤵
                      • Adds Run key to start application
                      PID:4852
                    • C:\Windows\SysWOW64\explorer.exe
                      "C:\Windows\SysWOW64\explorer.exe"
                      9⤵
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2260
                      • C:\Windows\SysWOW64\explorer.exe
                        "C:\Windows\SysWOW64\explorer.exe"
                        10⤵
                        • Checks BIOS information in registry
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:388
                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                      "C:\Windows\system32\Windupdt\winupdate.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:3404
                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                        10⤵
                        • Modifies WinLogon for persistence
                        • Checks BIOS information in registry
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:3060
                        • C:\Windows\SysWOW64\notepad.exe
                          notepad
                          11⤵
                          • Adds Run key to start application
                          • Drops file in System32 directory
                          PID:4160
                        • C:\Windows\SysWOW64\explorer.exe
                          "C:\Windows\SysWOW64\explorer.exe"
                          11⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious use of SetWindowsHookEx
                          PID:1236
                          • C:\Windows\SysWOW64\explorer.exe
                            "C:\Windows\SysWOW64\explorer.exe"
                            12⤵
                            • Checks BIOS information in registry
                            • Enumerates system info in registry
                            PID:3636
                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                          "C:\Windows\system32\Windupdt\winupdate.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of SetWindowsHookEx
                          PID:1436
                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                            12⤵
                            • Modifies WinLogon for persistence
                            • Checks BIOS information in registry
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            PID:1692
                            • C:\Windows\SysWOW64\notepad.exe
                              notepad
                              13⤵
                              • Adds Run key to start application
                              • Drops file in System32 directory
                              PID:2468
                            • C:\Windows\SysWOW64\explorer.exe
                              "C:\Windows\SysWOW64\explorer.exe"
                              13⤵
                              • Suspicious use of SetThreadContext
                              • Suspicious use of SetWindowsHookEx
                              PID:4604
                              • C:\Windows\SysWOW64\explorer.exe
                                "C:\Windows\SysWOW64\explorer.exe"
                                14⤵
                                • Checks BIOS information in registry
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                PID:4480
                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                              "C:\Windows\system32\Windupdt\winupdate.exe"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:4600
                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                14⤵
                                • Modifies WinLogon for persistence
                                • Checks BIOS information in registry
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                PID:2368
                                • C:\Windows\SysWOW64\notepad.exe
                                  notepad
                                  15⤵
                                  • Adds Run key to start application
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  PID:1936
                                • C:\Windows\SysWOW64\explorer.exe
                                  "C:\Windows\SysWOW64\explorer.exe"
                                  15⤵
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3208
                                  • C:\Windows\SysWOW64\explorer.exe
                                    "C:\Windows\SysWOW64\explorer.exe"
                                    16⤵
                                    • Checks BIOS information in registry
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    • Enumerates system info in registry
                                    PID:2512
                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5112
                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                    16⤵
                                    • Modifies WinLogon for persistence
                                    • Checks BIOS information in registry
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Drops file in System32 directory
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    • Enumerates system info in registry
                                    PID:2588
                                    • C:\Windows\SysWOW64\notepad.exe
                                      notepad
                                      17⤵
                                      • Adds Run key to start application
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      PID:760
                                    • C:\Windows\SysWOW64\explorer.exe
                                      "C:\Windows\SysWOW64\explorer.exe"
                                      17⤵
                                      • Suspicious use of SetThreadContext
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1496
                                      • C:\Windows\SysWOW64\explorer.exe
                                        "C:\Windows\SysWOW64\explorer.exe"
                                        18⤵
                                        • Checks BIOS information in registry
                                        • System Location Discovery: System Language Discovery
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        PID:4872
                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                      17⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3148
                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                        18⤵
                                        • Modifies WinLogon for persistence
                                        • Checks BIOS information in registry
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Drops file in System32 directory
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        • Checks processor information in registry
                                        • Enumerates system info in registry
                                        PID:4956
                                        • C:\Windows\SysWOW64\notepad.exe
                                          notepad
                                          19⤵
                                          • Adds Run key to start application
                                          • System Location Discovery: System Language Discovery
                                          PID:3796
                                        • C:\Windows\SysWOW64\explorer.exe
                                          "C:\Windows\SysWOW64\explorer.exe"
                                          19⤵
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of SetWindowsHookEx
                                          PID:3632
                                          • C:\Windows\SysWOW64\explorer.exe
                                            "C:\Windows\SysWOW64\explorer.exe"
                                            20⤵
                                            • Checks BIOS information in registry
                                            • System Location Discovery: System Language Discovery
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            PID:2256
                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                          19⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2032
                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                            20⤵
                                            • Modifies WinLogon for persistence
                                            • Checks BIOS information in registry
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Drops file in System32 directory
                                            • System Location Discovery: System Language Discovery
                                            • Checks processor information in registry
                                            • Enumerates system info in registry
                                            PID:404
                                            • C:\Windows\SysWOW64\notepad.exe
                                              notepad
                                              21⤵
                                              • Adds Run key to start application
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              PID:1488
                                            • C:\Windows\SysWOW64\explorer.exe
                                              "C:\Windows\SysWOW64\explorer.exe"
                                              21⤵
                                                PID:2416
                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                21⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1880
                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                  22⤵
                                                  • Modifies WinLogon for persistence
                                                  • Checks BIOS information in registry
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Adds Run key to start application
                                                  • Drops file in System32 directory
                                                  • Suspicious use of SetThreadContext
                                                  • Checks processor information in registry
                                                  • Enumerates system info in registry
                                                  PID:3272
                                                  • C:\Windows\SysWOW64\notepad.exe
                                                    notepad
                                                    23⤵
                                                    • Adds Run key to start application
                                                    PID:4568
                                                  • C:\Windows\SysWOW64\explorer.exe
                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                    23⤵
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:760
                                                    • C:\Windows\SysWOW64\explorer.exe
                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                      24⤵
                                                      • Checks BIOS information in registry
                                                      • Checks processor information in registry
                                                      • Enumerates system info in registry
                                                      PID:1384
                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                    23⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4672
                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                      24⤵
                                                      • Modifies WinLogon for persistence
                                                      • Checks BIOS information in registry
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Adds Run key to start application
                                                      • Drops file in System32 directory
                                                      • Suspicious use of SetThreadContext
                                                      • Enumerates system info in registry
                                                      PID:3544
                                                      • C:\Windows\SysWOW64\notepad.exe
                                                        notepad
                                                        25⤵
                                                        • Adds Run key to start application
                                                        PID:4408
                                                      • C:\Windows\SysWOW64\explorer.exe
                                                        "C:\Windows\SysWOW64\explorer.exe"
                                                        25⤵
                                                        • Suspicious use of SetThreadContext
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1492
                                                        • C:\Windows\SysWOW64\explorer.exe
                                                          "C:\Windows\SysWOW64\explorer.exe"
                                                          26⤵
                                                          • Checks BIOS information in registry
                                                          • System Location Discovery: System Language Discovery
                                                          • Enumerates system info in registry
                                                          PID:4052
                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                        25⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1176
                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                          26⤵
                                                          • Modifies WinLogon for persistence
                                                          • Checks BIOS information in registry
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops file in System32 directory
                                                          • Checks processor information in registry
                                                          • Enumerates system info in registry
                                                          PID:732
                                                          • C:\Windows\SysWOW64\notepad.exe
                                                            notepad
                                                            27⤵
                                                            • Adds Run key to start application
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2032
                                                          • C:\Windows\SysWOW64\explorer.exe
                                                            "C:\Windows\SysWOW64\explorer.exe"
                                                            27⤵
                                                              PID:3636
                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                              27⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:1236
                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                28⤵
                                                                • Modifies WinLogon for persistence
                                                                • Checks BIOS information in registry
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Adds Run key to start application
                                                                • Suspicious use of SetThreadContext
                                                                • System Location Discovery: System Language Discovery
                                                                • Checks processor information in registry
                                                                • Enumerates system info in registry
                                                                PID:1484
                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                  notepad
                                                                  29⤵
                                                                  • Adds Run key to start application
                                                                  • Drops file in System32 directory
                                                                  PID:1528
                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                  29⤵
                                                                  • Suspicious use of SetThreadContext
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:448
                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                                    30⤵
                                                                    • Checks BIOS information in registry
                                                                    • Checks processor information in registry
                                                                    • Enumerates system info in registry
                                                                    PID:2872
                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                  29⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:4412
                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                    30⤵
                                                                    • Modifies WinLogon for persistence
                                                                    • Checks BIOS information in registry
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Drops file in System32 directory
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Enumerates system info in registry
                                                                    PID:2492
                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                      notepad
                                                                      31⤵
                                                                      • Adds Run key to start application
                                                                      • Drops file in System32 directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3468
                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                      31⤵
                                                                      • Suspicious use of SetThreadContext
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:3228
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        "C:\Windows\SysWOW64\explorer.exe"
                                                                        32⤵
                                                                        • Checks BIOS information in registry
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        PID:4896
                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                      31⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetThreadContext
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:4784
                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                        "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                        32⤵
                                                                        • Modifies WinLogon for persistence
                                                                        • Checks BIOS information in registry
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • Drops file in System32 directory
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        PID:2712
                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                          notepad
                                                                          33⤵
                                                                          • Adds Run key to start application
                                                                          PID:888
                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                          "C:\Windows\SysWOW64\explorer.exe"
                                                                          33⤵
                                                                            PID:4968
                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                            33⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:1880
                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                              34⤵
                                                                              • Modifies WinLogon for persistence
                                                                              • Checks BIOS information in registry
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              • Drops file in System32 directory
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Checks processor information in registry
                                                                              • Enumerates system info in registry
                                                                              PID:2524
                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                notepad
                                                                                35⤵
                                                                                • Adds Run key to start application
                                                                                • Drops file in System32 directory
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3012
                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                "C:\Windows\SysWOW64\explorer.exe"
                                                                                35⤵
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:748
                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                                  36⤵
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks processor information in registry
                                                                                  • Enumerates system info in registry
                                                                                  PID:3992
                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                35⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1384
                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                  36⤵
                                                                                  • Modifies WinLogon for persistence
                                                                                  • Checks BIOS information in registry
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Adds Run key to start application
                                                                                  • Drops file in System32 directory
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Enumerates system info in registry
                                                                                  PID:1168
                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                    notepad
                                                                                    37⤵
                                                                                      PID:4136
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 76
                                                                                        38⤵
                                                                                        • Program crash
                                                                                        PID:1336
                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                                      37⤵
                                                                                        PID:624
                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                        37⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:1520
                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                          38⤵
                                                                                          • Modifies WinLogon for persistence
                                                                                          • Checks BIOS information in registry
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Adds Run key to start application
                                                                                          • Drops file in System32 directory
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Checks processor information in registry
                                                                                          • Enumerates system info in registry
                                                                                          PID:3724
                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                            notepad
                                                                                            39⤵
                                                                                            • Adds Run key to start application
                                                                                            • Drops file in System32 directory
                                                                                            PID:4660
                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                            "C:\Windows\SysWOW64\explorer.exe"
                                                                                            39⤵
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:1436
                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                              "C:\Windows\SysWOW64\explorer.exe"
                                                                                              40⤵
                                                                                              • Checks BIOS information in registry
                                                                                              • Checks processor information in registry
                                                                                              • Enumerates system info in registry
                                                                                              PID:1776
                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                            39⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:840
                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                              40⤵
                                                                                              • Modifies WinLogon for persistence
                                                                                              • Checks BIOS information in registry
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Adds Run key to start application
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • Checks processor information in registry
                                                                                              • Enumerates system info in registry
                                                                                              PID:2824
                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                notepad
                                                                                                41⤵
                                                                                                • Adds Run key to start application
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4160
                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                "C:\Windows\SysWOW64\explorer.exe"
                                                                                                41⤵
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:4412
                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                                                  42⤵
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Checks processor information in registry
                                                                                                  • Enumerates system info in registry
                                                                                                  PID:4300
                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                41⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3784
                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                  "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                  42⤵
                                                                                                  • Modifies WinLogon for persistence
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Adds Run key to start application
                                                                                                  • Drops file in System32 directory
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Checks processor information in registry
                                                                                                  • Enumerates system info in registry
                                                                                                  PID:3824
                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                    notepad
                                                                                                    43⤵
                                                                                                    • Adds Run key to start application
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:2660
                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                                                                    43⤵
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:3208
                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                                                      44⤵
                                                                                                      • Checks BIOS information in registry
                                                                                                      • Checks processor information in registry
                                                                                                      • Enumerates system info in registry
                                                                                                      PID:1644
                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                    43⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2560
                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                      44⤵
                                                                                                      • Modifies WinLogon for persistence
                                                                                                      • Checks BIOS information in registry
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Adds Run key to start application
                                                                                                      • Drops file in System32 directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Enumerates system info in registry
                                                                                                      PID:2652
                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                        notepad
                                                                                                        45⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:4736
                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                        "C:\Windows\SysWOW64\explorer.exe"
                                                                                                        45⤵
                                                                                                          PID:4568
                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                          45⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:1072
                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                            46⤵
                                                                                                            • Modifies WinLogon for persistence
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Adds Run key to start application
                                                                                                            • Drops file in System32 directory
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Checks processor information in registry
                                                                                                            • Enumerates system info in registry
                                                                                                            PID:2520
                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                              notepad
                                                                                                              47⤵
                                                                                                              • Adds Run key to start application
                                                                                                              • Drops file in System32 directory
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:1988
                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                              "C:\Windows\SysWOW64\explorer.exe"
                                                                                                              47⤵
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:996
                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                48⤵
                                                                                                                • Checks BIOS information in registry
                                                                                                                • Enumerates system info in registry
                                                                                                                PID:2180
                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                              47⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetThreadContext
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4276
                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                48⤵
                                                                                                                • Modifies WinLogon for persistence
                                                                                                                • Checks BIOS information in registry
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Adds Run key to start application
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Checks processor information in registry
                                                                                                                • Enumerates system info in registry
                                                                                                                PID:2948
                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                  notepad
                                                                                                                  49⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:624
                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                  49⤵
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:1168
                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                    50⤵
                                                                                                                    • Checks BIOS information in registry
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Checks processor information in registry
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:2340
                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                  49⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:4988
                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                    50⤵
                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                    • Checks BIOS information in registry
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Adds Run key to start application
                                                                                                                    • Drops file in System32 directory
                                                                                                                    • Enumerates system info in registry
                                                                                                                    PID:5092
                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                      notepad
                                                                                                                      51⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1236
                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                      51⤵
                                                                                                                        PID:952
                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                        51⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:1840
                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                          52⤵
                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                          • Checks BIOS information in registry
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          • Drops file in System32 directory
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:1776
                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                            notepad
                                                                                                                            53⤵
                                                                                                                            • Adds Run key to start application
                                                                                                                            PID:3512
                                                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                                                            "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                            53⤵
                                                                                                                              PID:4060
                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                              53⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:916
                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                54⤵
                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                • Checks BIOS information in registry
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Adds Run key to start application
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                • Enumerates system info in registry
                                                                                                                                PID:2500
                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                  notepad
                                                                                                                                  55⤵
                                                                                                                                    PID:3000
                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                    55⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:3688
                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                      56⤵
                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      • Enumerates system info in registry
                                                                                                                                      PID:4264
                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                    "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                    55⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                    PID:2872
                                                                                                                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                      "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                      56⤵
                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Adds Run key to start application
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      • Enumerates system info in registry
                                                                                                                                      PID:4736
                                                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                        notepad
                                                                                                                                        57⤵
                                                                                                                                        • Adds Run key to start application
                                                                                                                                        PID:884
                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                        "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                        57⤵
                                                                                                                                          PID:1072
                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                          "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                          57⤵
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                          PID:1432
                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                            "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                            58⤵
                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                            • Checks computer location settings
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            • Checks processor information in registry
                                                                                                                                            • Enumerates system info in registry
                                                                                                                                            PID:532
                                                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                              notepad
                                                                                                                                              59⤵
                                                                                                                                              • Adds Run key to start application
                                                                                                                                              • Drops file in System32 directory
                                                                                                                                              PID:1316
                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                              "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                              59⤵
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:748
                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                60⤵
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Checks processor information in registry
                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                PID:2844
                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                              "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                              59⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:2296
                                                                                                                                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                60⤵
                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Checks computer location settings
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Adds Run key to start application
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                PID:2924
                                                                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                  notepad
                                                                                                                                                  61⤵
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:4032
                                                                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                  "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                  61⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:4988
                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                    62⤵
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                    PID:1480
                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                  61⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                  PID:1336
                                                                                                                                                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                    "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                    62⤵
                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                    PID:1596
                                                                                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                      notepad
                                                                                                                                                      63⤵
                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:4832
                                                                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                      "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                      63⤵
                                                                                                                                                        PID:3976
                                                                                                                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                        63⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                        PID:1776
                                                                                                                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                          "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                          64⤵
                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                          PID:1332
                                                                                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                            notepad
                                                                                                                                                            65⤵
                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:5036
                                                                                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                            "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                            65⤵
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:916
                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                              "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                              66⤵
                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                              PID:1364
                                                                                                                                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                            65⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                                                            PID:4452
                                                                                                                                                            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                              "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
                                                                                                                                                              66⤵
                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                              PID:3468
                                                                                                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                                                                                                notepad
                                                                                                                                                                67⤵
                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:2408
                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                "C:\Windows\SysWOW64\explorer.exe"
                                                                                                                                                                67⤵
                                                                                                                                                                  PID:3684
                                                                                                                                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                                                                                                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                                                                                                                                  67⤵
                                                                                                                                                                    PID:4508
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 4136
                                1⤵
                                  PID:2924
                                • C:\Windows\SysWOW64\notepad.exe
                                  notepad
                                  1⤵
                                    PID:3216
                                  • C:\Windows\SysWOW64\explorer.exe
                                    "C:\Windows\SysWOW64\explorer.exe"
                                    1⤵
                                      PID:3716
                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                      1⤵
                                        PID:4340

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                        Filesize

                                        789KB

                                        MD5

                                        21d622626b25c17e938eb187443407a2

                                        SHA1

                                        43f935f2449c40b024f664f94c2b523f783f77aa

                                        SHA256

                                        c90479e3c119aeeb0f48e665d648033ce8e7125a345ce78f7b71c12cf55f3720

                                        SHA512

                                        b396032b3f78e37bdddf5b3c7c853d9c5ad9ef9171305d7f0684709f25a5142fe155f2c4c8e1c0f7e13e0f0193dbcab5d1ecb13375718a4262ce66ecadac4bcf

                                        Download Submit

                                      • memory/840-315-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/840-305-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/916-414-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/916-407-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/952-66-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1072-359-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1176-207-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1176-216-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1236-226-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1336-475-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1384-287-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1432-441-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1436-101-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1520-296-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1776-485-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1840-403-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1880-270-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1880-181-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1880-174-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/1888-9-0x00000000022B0000-0x00000000022B1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1888-26-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/1888-8-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/1888-7-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/1888-4-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/1888-3-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/2032-170-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2220-52-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2220-54-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2260-70-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2260-69-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2296-39-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2296-25-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2296-458-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2344-31-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2344-20-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2344-18-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2344-16-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2560-349-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/2872-431-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3148-153-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3208-11-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3256-0-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3256-6-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3404-75-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3404-84-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/3684-37-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/3744-34-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/3744-30-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/3744-33-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/3744-32-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/3784-332-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4044-49-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4276-376-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4340-47-0x0000000013140000-0x00000000131F6000-memory.dmp

                                        Filesize

                                        728KB

                                        Download

                                      • memory/4412-243-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4452-501-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4452-493-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4600-118-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4600-110-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4672-198-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4784-260-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/4988-393-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/5112-127-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download

                                      • memory/5112-137-0x0000000000400000-0x00000000004EC000-memory.dmp

                                        Filesize

                                        944KB

                                        Download