darkcomet | 122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Size

904KB
MD5

1cd7f3d1789fce8865ceb8a1efef4c91
SHA1

a990cddb8534faab48e2f97ee5b699bd5311623c
SHA256

122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a
SHA512

e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f
SSDEEP

12288:y3Or9fnnE3OtPtNOzifk58f0LHj5iL3wBt6PSPRfsV0eQWdFfefL432hjvB7eb25:3aetlT86f07jUMBtPRjmeTKCjvde0

Score

10^/10

darkcomet bootkit evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe"	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe,C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe

Sets file to hidden 1 TTPs 23 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
3064	attrib.exe
1156	attrib.exe
1976	attrib.exe
1752	attrib.exe
2488	attrib.exe
1752	attrib.exe
1088	attrib.exe
2764	attrib.exe
2892	attrib.exe
2440	attrib.exe
1052	attrib.exe
2128	attrib.exe
1240	attrib.exe
2128	attrib.exe
1588	attrib.exe
2916	attrib.exe
2396	attrib.exe
2868	attrib.exe
772	attrib.exe
2516	attrib.exe
2312	attrib.exe
2608	attrib.exe
844	attrib.exe

Executes dropped EXE 64 IoCs

Processes:

javaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

pid	process
2392	javaupdate.exe
2480	javaupdate.exe
2920	javaupdate.exe
2152	javaupdate.exe
1576	javaupdate.exe
3028	javaupdate.exe
1484	javaupdate.exe
824	javaupdate.exe
2812	javaupdate.exe
1636	javaupdate.exe
3036	javaupdate.exe
2200	javaupdate.exe
2972	javaupdate.exe
2676	javaupdate.exe
2708	javaupdate.exe
2872	javaupdate.exe
2484	javaupdate.exe
2276	javaupdate.exe
1588	javaupdate.exe
1608	javaupdate.exe
2760	javaupdate.exe
1712	javaupdate.exe
1800	javaupdate.exe
1556	javaupdate.exe
2196	javaupdate.exe
2004	javaupdate.exe
2124	javaupdate.exe
3020	javaupdate.exe
2572	javaupdate.exe
2692	javaupdate.exe
2592	javaupdate.exe
2544	javaupdate.exe
1648	javaupdate.exe
2284	javaupdate.exe
484	javaupdate.exe
876	javaupdate.exe
452	javaupdate.exe
316	javaupdate.exe
984	javaupdate.exe
1872	javaupdate.exe
1876	javaupdate.exe
1500	javaupdate.exe
2384	javaupdate.exe
2108	javaupdate.exe
2576	javaupdate.exe
2508	javaupdate.exe
2960	javaupdate.exe
2876	javaupdate.exe
2112	javaupdate.exe
1672	javaupdate.exe
1304	javaupdate.exe
2892	javaupdate.exe
1164	javaupdate.exe
1712	javaupdate.exe
2352	javaupdate.exe
1992	javaupdate.exe
2080	javaupdate.exe
708	javaupdate.exe
2416	javaupdate.exe
1984	javaupdate.exe
2504	javaupdate.exe
2472	javaupdate.exe
1444	javaupdate.exe
1916	javaupdate.exe

Loads dropped DLL 64 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

pid	process
3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
2392	javaupdate.exe
2392	javaupdate.exe
2392	javaupdate.exe
2392	javaupdate.exe
2480	javaupdate.exe
2480	javaupdate.exe
2480	javaupdate.exe
2480	javaupdate.exe
2920	javaupdate.exe
2920	javaupdate.exe
2920	javaupdate.exe
2920	javaupdate.exe
2152	javaupdate.exe
2152	javaupdate.exe
2152	javaupdate.exe
2152	javaupdate.exe
1576	javaupdate.exe
1576	javaupdate.exe
1576	javaupdate.exe
1576	javaupdate.exe
3028	javaupdate.exe
3028	javaupdate.exe
3028	javaupdate.exe
3028	javaupdate.exe
1484	javaupdate.exe
1484	javaupdate.exe
1484	javaupdate.exe
1484	javaupdate.exe
824	javaupdate.exe
824	javaupdate.exe
824	javaupdate.exe
824	javaupdate.exe
2812	javaupdate.exe
2812	javaupdate.exe
2812	javaupdate.exe
2812	javaupdate.exe
1636	javaupdate.exe
1636	javaupdate.exe
1636	javaupdate.exe
1636	javaupdate.exe
3036	javaupdate.exe
3036	javaupdate.exe
3036	javaupdate.exe
3036	javaupdate.exe
2200	javaupdate.exe
2200	javaupdate.exe
2200	javaupdate.exe
2200	javaupdate.exe
2972	javaupdate.exe
2972	javaupdate.exe
2972	javaupdate.exe
2972	javaupdate.exe
2676	javaupdate.exe
2676	javaupdate.exe
2676	javaupdate.exe
2676	javaupdate.exe
2708	javaupdate.exe
2708	javaupdate.exe
2708	javaupdate.exe
2708	javaupdate.exe
2872	javaupdate.exe
2872	javaupdate.exe
2872	javaupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Windows\\system32\\javaupdate.exe"	javaupdate.exe

Writes to the Master Boot Record (MBR) 1 TTPs 24 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

description	ioc	process
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe
File opened for modification	\??\PhysicalDrive0	javaupdate.exe

Drops file in System32 directory 64 IoCs

Processes:

javaupdate.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exeattrib.exeattrib.exeattrib.exeattrib.exejavaupdate.exeattrib.exejavaupdate.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exejavaupdate.exeattrib.exejavaupdate.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File created	C:\Windows\SysWOW64\javaupdate.exe	javaupdate.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\javaupdate.exe	attrib.exe

Suspicious use of SetThreadContext 48 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exejavaupdate.exe

description	pid	process	target process
PID 1208 set thread context of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 set thread context of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2392 set thread context of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2480 set thread context of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2152 set thread context of 1576	2152	javaupdate.exe	javaupdate.exe
PID 1576 set thread context of 3028	1576	javaupdate.exe	javaupdate.exe
PID 1484 set thread context of 824	1484	javaupdate.exe	javaupdate.exe
PID 824 set thread context of 2812	824	javaupdate.exe	javaupdate.exe
PID 1636 set thread context of 3036	1636	javaupdate.exe	javaupdate.exe
PID 3036 set thread context of 2200	3036	javaupdate.exe	javaupdate.exe
PID 2972 set thread context of 2676	2972	javaupdate.exe	javaupdate.exe
PID 2676 set thread context of 2708	2676	javaupdate.exe	javaupdate.exe
PID 2872 set thread context of 2484	2872	javaupdate.exe	javaupdate.exe
PID 2484 set thread context of 2276	2484	javaupdate.exe	javaupdate.exe
PID 1588 set thread context of 1608	1588	javaupdate.exe	javaupdate.exe
PID 1608 set thread context of 2760	1608	javaupdate.exe	javaupdate.exe
PID 1712 set thread context of 1800	1712	javaupdate.exe	javaupdate.exe
PID 1800 set thread context of 1556	1800	javaupdate.exe	javaupdate.exe
PID 2196 set thread context of 2004	2196	javaupdate.exe	javaupdate.exe
PID 2004 set thread context of 2124	2004	javaupdate.exe	javaupdate.exe
PID 3020 set thread context of 2572	3020	javaupdate.exe	javaupdate.exe
PID 2572 set thread context of 2692	2572	javaupdate.exe	javaupdate.exe
PID 2592 set thread context of 2544	2592	javaupdate.exe	javaupdate.exe
PID 2544 set thread context of 1648	2544	javaupdate.exe	javaupdate.exe
PID 2284 set thread context of 484	2284	javaupdate.exe	javaupdate.exe
PID 484 set thread context of 876	484	javaupdate.exe	javaupdate.exe
PID 452 set thread context of 316	452	javaupdate.exe	javaupdate.exe
PID 316 set thread context of 984	316	javaupdate.exe	javaupdate.exe
PID 1872 set thread context of 1876	1872	javaupdate.exe	javaupdate.exe
PID 1876 set thread context of 1500	1876	javaupdate.exe	javaupdate.exe
PID 2384 set thread context of 2108	2384	javaupdate.exe	javaupdate.exe
PID 2108 set thread context of 2576	2108	javaupdate.exe	javaupdate.exe
PID 2508 set thread context of 2960	2508	javaupdate.exe	javaupdate.exe
PID 2960 set thread context of 2876	2960	javaupdate.exe	javaupdate.exe
PID 2112 set thread context of 1672	2112	javaupdate.exe	javaupdate.exe
PID 1672 set thread context of 1304	1672	javaupdate.exe	javaupdate.exe
PID 2892 set thread context of 1164	2892	javaupdate.exe	javaupdate.exe
PID 1164 set thread context of 1712	1164	javaupdate.exe	javaupdate.exe
PID 2352 set thread context of 1992	2352	javaupdate.exe	javaupdate.exe
PID 1992 set thread context of 2080	1992	javaupdate.exe	javaupdate.exe
PID 708 set thread context of 2416	708	javaupdate.exe	javaupdate.exe
PID 2416 set thread context of 1984	2416	javaupdate.exe	javaupdate.exe
PID 2504 set thread context of 2472	2504	javaupdate.exe	javaupdate.exe
PID 2472 set thread context of 1444	2472	javaupdate.exe	javaupdate.exe
PID 1916 set thread context of 2344	1916	javaupdate.exe	javaupdate.exe
PID 2344 set thread context of 1540	2344	javaupdate.exe	javaupdate.exe
PID 1108 set thread context of 1644	1108	javaupdate.exe	javaupdate.exe
PID 1644 set thread context of 1736	1644	javaupdate.exe	javaupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exejavaupdate.exejavaupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSecurityPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeBackupPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeRestorePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeShutdownPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeDebugPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeUndockPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 33	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 34	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: 35	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2920	javaupdate.exe
Token: SeSecurityPrivilege	2920	javaupdate.exe
Token: SeTakeOwnershipPrivilege	2920	javaupdate.exe
Token: SeLoadDriverPrivilege	2920	javaupdate.exe
Token: SeSystemProfilePrivilege	2920	javaupdate.exe
Token: SeSystemtimePrivilege	2920	javaupdate.exe
Token: SeProfSingleProcessPrivilege	2920	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2920	javaupdate.exe
Token: SeCreatePagefilePrivilege	2920	javaupdate.exe
Token: SeBackupPrivilege	2920	javaupdate.exe
Token: SeRestorePrivilege	2920	javaupdate.exe
Token: SeShutdownPrivilege	2920	javaupdate.exe
Token: SeDebugPrivilege	2920	javaupdate.exe
Token: SeSystemEnvironmentPrivilege	2920	javaupdate.exe
Token: SeChangeNotifyPrivilege	2920	javaupdate.exe
Token: SeRemoteShutdownPrivilege	2920	javaupdate.exe
Token: SeUndockPrivilege	2920	javaupdate.exe
Token: SeManageVolumePrivilege	2920	javaupdate.exe
Token: SeImpersonatePrivilege	2920	javaupdate.exe
Token: SeCreateGlobalPrivilege	2920	javaupdate.exe
Token: 33	2920	javaupdate.exe
Token: 34	2920	javaupdate.exe
Token: 35	2920	javaupdate.exe
Token: SeRestorePrivilege	2920	javaupdate.exe
Token: SeBackupPrivilege	2920	javaupdate.exe
Token: SeIncreaseQuotaPrivilege	3028	javaupdate.exe
Token: SeSecurityPrivilege	3028	javaupdate.exe
Token: SeTakeOwnershipPrivilege	3028	javaupdate.exe
Token: SeLoadDriverPrivilege	3028	javaupdate.exe
Token: SeSystemProfilePrivilege	3028	javaupdate.exe
Token: SeSystemtimePrivilege	3028	javaupdate.exe
Token: SeProfSingleProcessPrivilege	3028	javaupdate.exe
Token: SeIncBasePriorityPrivilege	3028	javaupdate.exe
Token: SeCreatePagefilePrivilege	3028	javaupdate.exe
Token: SeBackupPrivilege	3028	javaupdate.exe
Token: SeRestorePrivilege	3028	javaupdate.exe
Token: SeShutdownPrivilege	3028	javaupdate.exe
Token: SeDebugPrivilege	3028	javaupdate.exe
Token: SeSystemEnvironmentPrivilege	3028	javaupdate.exe
Token: SeChangeNotifyPrivilege	3028	javaupdate.exe
Token: SeRemoteShutdownPrivilege	3028	javaupdate.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

pid	process
1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
2392	javaupdate.exe
2480	javaupdate.exe
2152	javaupdate.exe
1576	javaupdate.exe
1484	javaupdate.exe
824	javaupdate.exe
1636	javaupdate.exe
3036	javaupdate.exe
2972	javaupdate.exe
2676	javaupdate.exe
2872	javaupdate.exe
2484	javaupdate.exe
1588	javaupdate.exe
1608	javaupdate.exe
1712	javaupdate.exe
1800	javaupdate.exe
2196	javaupdate.exe
2004	javaupdate.exe
3020	javaupdate.exe
2572	javaupdate.exe
2592	javaupdate.exe
2544	javaupdate.exe
2284	javaupdate.exe
484	javaupdate.exe
452	javaupdate.exe
316	javaupdate.exe
1872	javaupdate.exe
1876	javaupdate.exe
2384	javaupdate.exe
2108	javaupdate.exe
2508	javaupdate.exe
2960	javaupdate.exe
2112	javaupdate.exe
1672	javaupdate.exe
2892	javaupdate.exe
1164	javaupdate.exe
2352	javaupdate.exe
1992	javaupdate.exe
708	javaupdate.exe
2416	javaupdate.exe
2504	javaupdate.exe
2472	javaupdate.exe
1916	javaupdate.exe
2344	javaupdate.exe
1108	javaupdate.exe
1644	javaupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.execmd.exejavaupdate.exejavaupdate.exe

description	pid	process	target process
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 1208 wrote to memory of 2036	1208	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 2036 wrote to memory of 3040	2036	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
PID 3040 wrote to memory of 2648	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 3040 wrote to memory of 2648	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 3040 wrote to memory of 2648	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 3040 wrote to memory of 2648	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	cmd.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 3040 wrote to memory of 2392	3040	1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe	javaupdate.exe
PID 2648 wrote to memory of 2764	2648	cmd.exe	attrib.exe
PID 2648 wrote to memory of 2764	2648	cmd.exe	attrib.exe
PID 2648 wrote to memory of 2764	2648	cmd.exe	attrib.exe
PID 2648 wrote to memory of 2764	2648	cmd.exe	attrib.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2392 wrote to memory of 2480	2392	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe
PID 2480 wrote to memory of 2920	2480	javaupdate.exe	javaupdate.exe

Views/modifies file attributes 1 TTPs 23 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
2440	attrib.exe
1976	attrib.exe
1752	attrib.exe
2488	attrib.exe
1752	attrib.exe
2764	attrib.exe
2312	attrib.exe
844	attrib.exe
1240	attrib.exe
2128	attrib.exe
1588	attrib.exe
1052	attrib.exe
2868	attrib.exe
772	attrib.exe
2516	attrib.exe
1088	attrib.exe
2396	attrib.exe
1156	attrib.exe
2128	attrib.exe
3064	attrib.exe
2892	attrib.exe
2608	attrib.exe
2916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1cd7f3d1789fce8865ceb8a1efef4c91_JaffaCakes118.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2764

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:2148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1588

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
11⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2892

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
13⤵
PID:708

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
14⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2312

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
16⤵
PID:2968

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
17⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2608

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
19⤵
PID:2544

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
20⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2916

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
22⤵
PID:1628

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
23⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:844

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
25⤵
PID:772

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
26⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2440

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
28⤵
PID:1196

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
29⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3064

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
28⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
31⤵
PID:1996

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
32⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2396

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
33⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
34⤵
PID:2960

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
35⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1156

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
37⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
38⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1052

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:484

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
39⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
40⤵
PID:1908

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
41⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1976

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
40⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:316

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
43⤵
PID:992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
44⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1752

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
45⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
46⤵
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
47⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2868

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
46⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
47⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
49⤵
PID:2640

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
50⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2488

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
50⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
52⤵
PID:2344

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
53⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2128

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
52⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
55⤵
PID:464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
56⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:772

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
56⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
57⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
58⤵
PID:552

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
59⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1752

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
58⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
59⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
60⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
61⤵
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
62⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1240

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:708

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
62⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
63⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
64⤵
PID:2680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
65⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2516

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
64⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
66⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
67⤵
PID:2140

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
68⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2128

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
67⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
68⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
69⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
70⤵
PID:2820

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\javaupdate.exe" +s +h
71⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1088

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
70⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
71⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\SysWOW64\javaupdate.exe
"C:\Windows\system32\javaupdate.exe"
72⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
PID:1736

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
101B

MD5
2e75c7cc780d62732d8604c89bb588ff

SHA1
cd1f73d53de7a49e4e908ce76e2fd065e365a70d

SHA256
554a5f6f4b347c7df6c8497369210c374b4a94ace876c24232c99cf942f17041

SHA512
e8f6baf70b8456b14f493f903047ef3a5c609425c2f3ab007fdc319ef6395e3c6934a82a854ae511bcaa328755d9907c3467335c693c2a814b99014f0b9bf965

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
51B

MD5
ed4167b5a442567df6e88fdcbdb4c3df

SHA1
df34a493efcdf2db9dc6639a8c6cc498e1d5d2fb

SHA256
49779c02e089ff017e4dd4d4afb73b3af142b7abe19b99059e04a81f8c81a5fb

SHA512
9888d850e8c902e82abbd62313f21cc46b6a11719a526f6a893deb9f90b13e2e532262a03fd1e53041e0728b4ca637d1fe904f992272a9433938cafbc877ddad

Download Submit
\Windows\SysWOW64\javaupdate.exe
Filesize
904KB

MD5
1cd7f3d1789fce8865ceb8a1efef4c91

SHA1
a990cddb8534faab48e2f97ee5b699bd5311623c

SHA256
122a4b018095b213e356097ddd724c2708fdcddd4ff89d72e73af150f3b5188a

SHA512
e1da51d7c204658d922460d0f7c750b2f0a6768c7f3071ed7ce908303d775cacf63f0132f8aee04fca52057b7b4ed231e017e3eeb1eace8c9605f521e125538f

Download Submit
memory/2036-2-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2036-6-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2036-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2036-15-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2036-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-4-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2036-40-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2480-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-38-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-42-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-36-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-30-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-28-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-26-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-24-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-41-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-43-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-32-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-20-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-64-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-22-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3040-18-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads