Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
221s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
Resource
win10v2004-20221111-en
General
-
Target
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe
-
Size
820KB
-
MD5
4408d904c304c3becc5b3f28b9fd2b62
-
SHA1
741db1ee6c9dd4daa862c531d4194b2745aa2789
-
SHA256
a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
-
SHA512
ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
SSDEEP
12288:xMrCcQ74kKTUtCkUAlnw8Do0WtJKQV5hcJzkOjsJ7KYk62c5iCCMDGBpU2Uq:684kbUAlnw8DoD2Q7LmT6LiCnGBpkq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe -
Executes dropped EXE 25 IoCs
pid Process 1116 winupdate.exe 2044 winupdate.exe 1776 winupdate.exe 2404 winupdate.exe 3668 winupdate.exe 4244 winupdate.exe 4740 winupdate.exe 640 winupdate.exe 3180 winupdate.exe 2372 winupdate.exe 808 winupdate.exe 2228 winupdate.exe 4668 winupdate.exe 2912 winupdate.exe 3912 winupdate.exe 1676 winupdate.exe 3056 winupdate.exe 320 winupdate.exe 1320 winupdate.exe 3844 winupdate.exe 3828 winupdate.exe 3200 winupdate.exe 3684 winupdate.exe 1488 winupdate.exe 2084 winupdate.exe -
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation winupdate.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe" winupdate.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe -
Drops file in System32 directory 27 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windowsupdate\ winupdate.exe File created C:\Windows\SysWOW64\Windowsupdate\winupdate.exe winupdate.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 4900 set thread context of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 2832 set thread context of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 1116 set thread context of 2044 1116 winupdate.exe 88 PID 2044 set thread context of 1776 2044 winupdate.exe 89 PID 2404 set thread context of 3668 2404 winupdate.exe 94 PID 3668 set thread context of 4244 3668 winupdate.exe 95 PID 4740 set thread context of 640 4740 winupdate.exe 100 PID 640 set thread context of 3180 640 winupdate.exe 102 PID 2372 set thread context of 808 2372 winupdate.exe 107 PID 808 set thread context of 2228 808 winupdate.exe 108 PID 4668 set thread context of 2912 4668 winupdate.exe 115 PID 2912 set thread context of 3912 2912 winupdate.exe 116 PID 1676 set thread context of 3056 1676 winupdate.exe 125 PID 3056 set thread context of 320 3056 winupdate.exe 126 PID 1320 set thread context of 3844 1320 winupdate.exe 132 PID 3844 set thread context of 3828 3844 winupdate.exe 133 PID 3200 set thread context of 3684 3200 winupdate.exe 139 PID 3684 set thread context of 1488 3684 winupdate.exe 140 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 36 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe -
Runs ping.exe 1 TTPs 8 IoCs
pid Process 528 PING.EXE 3452 PING.EXE 1240 PING.EXE 2412 PING.EXE 1768 PING.EXE 2340 PING.EXE 3260 PING.EXE 4476 PING.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeSecurityPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeTakeOwnershipPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeLoadDriverPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeSystemProfilePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeSystemtimePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeProfSingleProcessPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeIncBasePriorityPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeCreatePagefilePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeBackupPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeRestorePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeShutdownPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeDebugPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeSystemEnvironmentPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeChangeNotifyPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeRemoteShutdownPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeUndockPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeManageVolumePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeImpersonatePrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeCreateGlobalPrivilege 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: 33 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: 34 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: 35 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: 36 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe Token: SeIncreaseQuotaPrivilege 1776 winupdate.exe Token: SeSecurityPrivilege 1776 winupdate.exe Token: SeTakeOwnershipPrivilege 1776 winupdate.exe Token: SeLoadDriverPrivilege 1776 winupdate.exe Token: SeSystemProfilePrivilege 1776 winupdate.exe Token: SeSystemtimePrivilege 1776 winupdate.exe Token: SeProfSingleProcessPrivilege 1776 winupdate.exe Token: SeIncBasePriorityPrivilege 1776 winupdate.exe Token: SeCreatePagefilePrivilege 1776 winupdate.exe Token: SeBackupPrivilege 1776 winupdate.exe Token: SeRestorePrivilege 1776 winupdate.exe Token: SeShutdownPrivilege 1776 winupdate.exe Token: SeDebugPrivilege 1776 winupdate.exe Token: SeSystemEnvironmentPrivilege 1776 winupdate.exe Token: SeChangeNotifyPrivilege 1776 winupdate.exe Token: SeRemoteShutdownPrivilege 1776 winupdate.exe Token: SeUndockPrivilege 1776 winupdate.exe Token: SeManageVolumePrivilege 1776 winupdate.exe Token: SeImpersonatePrivilege 1776 winupdate.exe Token: SeCreateGlobalPrivilege 1776 winupdate.exe Token: 33 1776 winupdate.exe Token: 34 1776 winupdate.exe Token: 35 1776 winupdate.exe Token: 36 1776 winupdate.exe Token: SeIncreaseQuotaPrivilege 4244 winupdate.exe Token: SeSecurityPrivilege 4244 winupdate.exe Token: SeTakeOwnershipPrivilege 4244 winupdate.exe Token: SeLoadDriverPrivilege 4244 winupdate.exe Token: SeSystemProfilePrivilege 4244 winupdate.exe Token: SeSystemtimePrivilege 4244 winupdate.exe Token: SeProfSingleProcessPrivilege 4244 winupdate.exe Token: SeIncBasePriorityPrivilege 4244 winupdate.exe Token: SeCreatePagefilePrivilege 4244 winupdate.exe Token: SeBackupPrivilege 4244 winupdate.exe Token: SeRestorePrivilege 4244 winupdate.exe Token: SeShutdownPrivilege 4244 winupdate.exe Token: SeDebugPrivilege 4244 winupdate.exe Token: SeSystemEnvironmentPrivilege 4244 winupdate.exe Token: SeChangeNotifyPrivilege 4244 winupdate.exe Token: SeRemoteShutdownPrivilege 4244 winupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 4900 wrote to memory of 2832 4900 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 80 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 2832 wrote to memory of 3484 2832 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 81 PID 3484 wrote to memory of 1116 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 84 PID 3484 wrote to memory of 1116 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 84 PID 3484 wrote to memory of 1116 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 84 PID 3484 wrote to memory of 2860 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 85 PID 3484 wrote to memory of 2860 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 85 PID 3484 wrote to memory of 2860 3484 a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe 85 PID 2860 wrote to memory of 1768 2860 cmd.exe 87 PID 2860 wrote to memory of 1768 2860 cmd.exe 87 PID 2860 wrote to memory of 1768 2860 cmd.exe 87 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 1116 wrote to memory of 2044 1116 winupdate.exe 88 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 2044 wrote to memory of 1776 2044 winupdate.exe 89 PID 1776 wrote to memory of 2404 1776 winupdate.exe 90 PID 1776 wrote to memory of 2404 1776 winupdate.exe 90 PID 1776 wrote to memory of 2404 1776 winupdate.exe 90 PID 1776 wrote to memory of 4532 1776 winupdate.exe 91 PID 1776 wrote to memory of 4532 1776 winupdate.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe"C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exeC:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exeC:\Users\Admin\AppData\Local\Temp\a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02.exe3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2404 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3668 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4740 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:640 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2372 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:808 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4668 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2912 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3912 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1676 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3056 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3844 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3828 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3200 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3684 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exeC:\Windows\SysWOW64\Windowsupdate\winupdate.exe27⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe"C:\Windows\system32\Windowsupdate\winupdate.exe"28⤵
- Executes dropped EXE
PID:2084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "28⤵PID:4568
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "25⤵PID:1916
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 226⤵
- Runs ping.exe
PID:2412
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "22⤵PID:3860
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 223⤵
- Runs ping.exe
PID:1240
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "19⤵PID:3744
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 220⤵
- Runs ping.exe
PID:3452
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "16⤵PID:4624
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 217⤵
- Runs ping.exe
PID:528
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "13⤵PID:3408
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 214⤵
- Runs ping.exe
PID:4476
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "10⤵PID:5036
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 211⤵
- Runs ping.exe
PID:3260
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "7⤵PID:4532
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 28⤵
- Runs ping.exe
PID:2340
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 25⤵
- Runs ping.exe
PID:1768
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137B
MD5056790f3eb43965f15607ab9c0033728
SHA18b046f529d49fc8f2a18a5980bd8f2ebda060760
SHA2566fde3727651f6939b3fa4a2a439eed949c71185aec227b2d6eb602f057939bb0
SHA5123dcbde7e83f427189a51a016403384b5ac1e68f1d6d4250c4fed36e21272288e4c7da532271a6212f2ed99ea47ebda5a7e36482c09c6b833b6982b4bebe10171
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
82B
MD5161109f79808cfb6a41a419e9c0e94a8
SHA19e8191ceeaaa07868efe2a90ad9179902509c6e2
SHA2561f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a
SHA5126c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32
-
Filesize
820KB
MD54408d904c304c3becc5b3f28b9fd2b62
SHA1741db1ee6c9dd4daa862c531d4194b2745aa2789
SHA256a2e42261bdbe2e301195a6d11ec8df3b1f7a8567d5a8b7e31c2852b6655f2b02
SHA512ac8b1be8f655a8e9e1084c63b6677de0b21d515fb07d8e09e43f8f4135532561adf703e71348ff6375eb68697170c6044c7a59fb8227bb9b1dababba6db9fa32