af9ed336328518b1ce93f940da36f36345c5fcd85563f952b92b4aed68af161d

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe

Windows security bypass 2 TTPs 64 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 64 IoCs

pid	Process
3748	Update.exe
1972	Update.exe
2900	Update.exe
928	Update.exe
2904	Update.exe
3468	Update.exe
4916	Update.exe
2436	Update.exe
3752	Update.exe
3296	Update.exe
624	Update.exe
4368	Update.exe
4328	Update.exe
5024	Update.exe
1348	Update.exe
2256	Update.exe
924	Update.exe
2460	Update.exe
64	Update.exe
4608	Update.exe
892	Update.exe
5056	Update.exe
4348	Update.exe
1832	Update.exe
3164	Update.exe
4696	Update.exe
3380	Update.exe
3064	Update.exe
1852	Update.exe
3712	Update.exe
3732	Update.exe
3616	Update.exe
1684	Update.exe
412	Update.exe
564	Update.exe
4084	Update.exe
452	Update.exe
640	Update.exe
3608	Update.exe
1148	Update.exe
868	Update.exe
4720	Update.exe
808	Update.exe
2672	Update.exe
3524	Update.exe
3176	Update.exe
4536	Update.exe
1804	Update.exe
1380	Update.exe
4836	Update.exe
2732	Update.exe
3380	Update.exe
1556	Update.exe
1852	Update.exe
5096	Update.exe
3016	Update.exe
5072	Update.exe
4512	Update.exe
3592	Update.exe
1620	Update.exe
3140	Update.exe
2288	Update.exe
2364	Update.exe
212	Update.exe

Windows security modification 2 TTPs 64 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Update.exe

Checks whether UAC is enabled 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update	Update.exe
File opened for modification	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe
File created	C:\Windows\SysWOW64\Windows Update\Update.exe	Update.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 3748 set thread context of 1972	3748	Update.exe	86
PID 2900 set thread context of 928	2900	Update.exe	88
PID 2904 set thread context of 3468	2904	Update.exe	90
PID 4916 set thread context of 2436	4916	Update.exe	92
PID 3752 set thread context of 3296	3752	Update.exe	94
PID 624 set thread context of 4368	624	Update.exe	96
PID 4328 set thread context of 5024	4328	Update.exe	98
PID 1348 set thread context of 2256	1348	Update.exe	102
PID 924 set thread context of 2460	924	Update.exe	104
PID 64 set thread context of 4608	64	Update.exe	108
PID 892 set thread context of 5056	892	Update.exe	110
PID 4348 set thread context of 1832	4348	Update.exe	112
PID 3164 set thread context of 4696	3164	Update.exe	114
PID 3380 set thread context of 3064	3380	Update.exe	117
PID 1852 set thread context of 3712	1852	Update.exe	119
PID 3732 set thread context of 3616	3732	Update.exe	121
PID 1684 set thread context of 412	1684	Update.exe	123
PID 564 set thread context of 4084	564	Update.exe	125
PID 452 set thread context of 640	452	Update.exe	129
PID 3608 set thread context of 1148	3608	Update.exe	131
PID 868 set thread context of 4720	868	Update.exe	133
PID 808 set thread context of 2672	808	Update.exe	135
PID 3524 set thread context of 3176	3524	Update.exe	137
PID 4536 set thread context of 1804	4536	Update.exe	139
PID 1380 set thread context of 4836	1380	Update.exe	141
PID 2732 set thread context of 3380	2732	Update.exe	143
PID 1556 set thread context of 1852	1556	Update.exe	145
PID 5096 set thread context of 3016	5096	Update.exe	147
PID 5072 set thread context of 4512	5072	Update.exe	149
PID 3592 set thread context of 1620	3592	Update.exe	151
PID 3140 set thread context of 2288	3140	Update.exe	153
PID 2364 set thread context of 212	2364	Update.exe	155
PID 2972 set thread context of 1996	2972	Update.exe	157
PID 1096 set thread context of 4200	1096	Update.exe	159
PID 4320 set thread context of 2356	4320	Update.exe	161
PID 2708 set thread context of 4348	2708	Update.exe	163
PID 4056 set thread context of 4376	4056	Update.exe	165
PID 2440 set thread context of 376	2440	Update.exe	167
PID 2752 set thread context of 1800	2752	Update.exe	169
PID 4416 set thread context of 884	4416	Update.exe	171
PID 2456 set thread context of 964	2456	Update.exe	173
PID 3324 set thread context of 832	3324	Update.exe	175
PID 4940 set thread context of 1448	4940	Update.exe	177
PID 1072 set thread context of 3480	1072	Update.exe	179
PID 3608 set thread context of 4616	3608	Update.exe	182
PID 3516 set thread context of 3744	3516	Update.exe	184
PID 2956 set thread context of 3504	2956	Update.exe	186
PID 440 set thread context of 2520	440	Update.exe	188
PID 1288 set thread context of 2224	1288	Update.exe	190
PID 2132 set thread context of 4516	2132	Update.exe	192
PID 1820 set thread context of 1156	1820	Update.exe	194
PID 4936 set thread context of 2612	4936	Update.exe	197
PID 3636 set thread context of 2680	3636	Update.exe	199
PID 1808 set thread context of 3280	1808	Update.exe	201
PID 3708 set thread context of 2016	3708	Update.exe	203
PID 4620 set thread context of 1192	4620	Update.exe	205
PID 628 set thread context of 1052	628	Update.exe	207
PID 2304 set thread context of 4456	2304	Update.exe	209
PID 5088 set thread context of 3288	5088	Update.exe	211
PID 3524 set thread context of 1404	3524	Update.exe	213
PID 4536 set thread context of 4088	4536	Update.exe	215
PID 1748 set thread context of 2692	1748	Update.exe	217
PID 1164 set thread context of 5036	1164	Update.exe	219

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1404-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1404-8-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/files/0x0007000000023441-13.dat	upx
behavioral2/memory/3748-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2900-43-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2904-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4916-67-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3752-78-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/624-90-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4328-94-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4328-103-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1348-114-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/924-128-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/64-140-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/892-150-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4348-164-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3164-174-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3380-188-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1852-200-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3732-212-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1684-222-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/564-234-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/452-238-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/452-248-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3608-260-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/868-272-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/808-284-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3524-295-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4536-307-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1380-319-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2732-331-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1556-345-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5096-355-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3592-378-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3140-391-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2364-403-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2972-411-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1096-421-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4320-431-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2708-441-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4056-452-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2440-463-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2752-472-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4416-481-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2456-492-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3324-501-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4940-511-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1072-523-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2956-550-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/440-560-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1288-570-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2132-580-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1820-589-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4936-599-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3636-611-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1808-620-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3708-629-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4620-640-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/628-649-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2304-661-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5088-669-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3524-679-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1748-700-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/868-726-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe
4860	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe
3748	Update.exe
1972	Update.exe
2900	Update.exe
928	Update.exe
2904	Update.exe
3468	Update.exe
4916	Update.exe
2436	Update.exe
3752	Update.exe
3296	Update.exe
624	Update.exe
4368	Update.exe
4328	Update.exe
5024	Update.exe
1348	Update.exe
2256	Update.exe
924	Update.exe
2460	Update.exe
64	Update.exe
4608	Update.exe
892	Update.exe
5056	Update.exe
4348	Update.exe
1832	Update.exe
3164	Update.exe
4696	Update.exe
3380	Update.exe
3064	Update.exe
1852	Update.exe
3712	Update.exe
3732	Update.exe
3616	Update.exe
1684	Update.exe
412	Update.exe
564	Update.exe
4084	Update.exe
452	Update.exe
640	Update.exe
3608	Update.exe
1148	Update.exe
868	Update.exe
4720	Update.exe
808	Update.exe
2672	Update.exe
3524	Update.exe
3176	Update.exe
4536	Update.exe
1804	Update.exe
1380	Update.exe
4836	Update.exe
2732	Update.exe
3380	Update.exe
1556	Update.exe
1852	Update.exe
5096	Update.exe
3016	Update.exe
5072	Update.exe
4512	Update.exe
3592	Update.exe
1620	Update.exe
3140	Update.exe
2288	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 1404 wrote to memory of 4860	1404	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	83
PID 4860 wrote to memory of 3748	4860	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	84
PID 4860 wrote to memory of 3748	4860	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	84
PID 4860 wrote to memory of 3748	4860	070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe	84
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 3748 wrote to memory of 1972	3748	Update.exe	86
PID 1972 wrote to memory of 2900	1972	Update.exe	87
PID 1972 wrote to memory of 2900	1972	Update.exe	87
PID 1972 wrote to memory of 2900	1972	Update.exe	87
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 2900 wrote to memory of 928	2900	Update.exe	88
PID 928 wrote to memory of 2904	928	Update.exe	89
PID 928 wrote to memory of 2904	928	Update.exe	89
PID 928 wrote to memory of 2904	928	Update.exe	89
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 2904 wrote to memory of 3468	2904	Update.exe	90
PID 3468 wrote to memory of 4916	3468	Update.exe	91
PID 3468 wrote to memory of 4916	3468	Update.exe	91
PID 3468 wrote to memory of 4916	3468	Update.exe	91
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 4916 wrote to memory of 2436	4916	Update.exe	92
PID 2436 wrote to memory of 3752	2436	Update.exe	93
PID 2436 wrote to memory of 3752	2436	Update.exe	93
PID 2436 wrote to memory of 3752	2436	Update.exe	93
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3752 wrote to memory of 3296	3752	Update.exe	94
PID 3296 wrote to memory of 624	3296	Update.exe	95

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Update.exe

C:\Users\Admin\AppData\Local\Temp\070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\070f414ebbc5f2fe917d5082936f3a09_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\Windows Update\Update.exe
    "C:\Windows\system32\Windows Update\Update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\Windows Update\Update.exe
      "C:\Windows\SysWOW64\Windows Update\Update.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        10⤵
        Windows security bypass
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2436
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        12⤵
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        16⤵
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5024
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        18⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2256
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        20⤵
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        22⤵
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4608
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5056
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4696
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        32⤵
        Windows security bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3712
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3732
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        34⤵
        Windows security bypass
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        36⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:412
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        38⤵
        UAC bypass
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:452
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        42⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4720
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        46⤵
        Windows security bypass
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3524
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3176
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        50⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1804
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        54⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1852
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        62⤵
        UAC bypass
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        64⤵
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2364
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        66⤵
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2972
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        68⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Drops file in System32 directory
        System policy modification
        
        PID:1996
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1096
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        70⤵
        UAC bypass
        Windows security modification
        
        PID:4200
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4320
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        72⤵
        Checks whether UAC is enabled
        
        PID:2356
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2708
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        74⤵
        Windows security modification
        
        PID:4348
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:4056
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        78⤵
        Checks whether UAC is enabled
        
        PID:376
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:2752
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        80⤵
        UAC bypass
        
        PID:1800
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:4416
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        82⤵
        UAC bypass
        Checks whether UAC is enabled
        
        PID:884
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2456
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        84⤵
        
        PID:964
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:3324
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        86⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:832
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        88⤵
        Windows security bypass
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:1448
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        89⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        90⤵
        Windows security modification
        
        PID:3480
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:3608
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        92⤵
        Checks computer location settings
        System policy modification
        
        PID:4616
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3516
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        94⤵
        Windows security bypass
        Checks computer location settings
        System policy modification
        
        PID:3744
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:2956
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        96⤵
        UAC bypass
        Checks whether UAC is enabled
        
        PID:3504
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        98⤵
        Drops file in System32 directory
        System policy modification
        
        PID:2520
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1288
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        100⤵
        Windows security bypass
        
        PID:2224
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        102⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:4516
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1820
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        104⤵
        UAC bypass
        System policy modification
        
        PID:1156
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:4936
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        106⤵
        System policy modification
        
        PID:2612
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:3636
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        108⤵
        UAC bypass
        Windows security bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2680
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        110⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:3708
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        112⤵
        Windows security bypass
        Windows security modification
        
        PID:2016
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:4620
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        114⤵
        Windows security bypass
        
        PID:1192
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        115⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:628
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        116⤵
        UAC bypass
        Windows security modification
        
        PID:1052
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:2304
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        118⤵
        Checks computer location settings
        Windows security modification
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:5088
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        120⤵
        Windows security bypass
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:3524
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        122⤵
        Windows security bypass
        Checks computer location settings
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:1404
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        124⤵
        Windows security modification
        
        PID:4088
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:1748
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        126⤵
        UAC bypass
        Windows security modification
        
        PID:2692
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:1164
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        128⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        130⤵
        UAC bypass
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        131⤵
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        132⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:4436
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        133⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        134⤵
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:1144
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        135⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        136⤵
        UAC bypass
        Windows security modification
        
        PID:1716
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        137⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        138⤵
        Windows security bypass
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        139⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        140⤵
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:740
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        141⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        142⤵
        Checks computer location settings
        Windows security modification
        
        PID:2864
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        143⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        144⤵
        Checks computer location settings
        Windows security modification
        
        PID:3364
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        145⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        146⤵
        UAC bypass
        Windows security modification
        
        PID:4152
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        148⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:4216
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        150⤵
        UAC bypass
        Checks whether UAC is enabled
        
        PID:644
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        151⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        152⤵
        UAC bypass
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        154⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        155⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        156⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        158⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:3732
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        159⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        160⤵
        Windows security bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        161⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        162⤵
        UAC bypass
        Checks computer location settings
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        163⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        164⤵
        Windows security bypass
        Windows security modification
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        165⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        166⤵
        UAC bypass
        Windows security bypass
        Windows security modification
        
        PID:628
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        167⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        168⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        169⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        170⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        171⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        172⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        173⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        174⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2668
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        175⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        176⤵
        UAC bypass
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        177⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        178⤵
        UAC bypass
        Windows security modification
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        179⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        180⤵
        UAC bypass
        Windows security bypass
        Checks whether UAC is enabled
        
        PID:4936
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        181⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        182⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        183⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        184⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        185⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        186⤵
        UAC bypass
        
        PID:3248
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        187⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        188⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        189⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        190⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        191⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        192⤵
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:2788
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        193⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        194⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:2308
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        196⤵
        UAC bypass
        
        PID:4440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        197⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        198⤵
        UAC bypass
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        200⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        201⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        202⤵
        Checks computer location settings
        Windows security modification
        
        PID:2756
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        203⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        204⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        205⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        206⤵
        UAC bypass
        
        PID:388
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        207⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        208⤵
        Windows security bypass
        Checks computer location settings
        Checks whether UAC is enabled
        Drops file in System32 directory
        System policy modification
        
        PID:3736
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        209⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        210⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:2644
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        211⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        212⤵
        Windows security bypass
        Windows security modification
        Checks whether UAC is enabled
        
        PID:2904
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        214⤵
        UAC bypass
        Checks computer location settings
        
        PID:3240
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        215⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        216⤵
        Windows security bypass
        
        PID:1864
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        218⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Drops file in System32 directory
        System policy modification
        
        PID:1440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        219⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        220⤵
        UAC bypass
        Windows security bypass
        
        PID:1756
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        222⤵
        Windows security modification
        System policy modification
        
        PID:1380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        223⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        224⤵
        Windows security bypass
        Checks whether UAC is enabled
        
        PID:5020
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        225⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        226⤵
        Windows security bypass
        Windows security modification
        
        PID:2116
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        227⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        228⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        229⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        230⤵
        Checks computer location settings
        
        PID:868
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        231⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        232⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        233⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        234⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        235⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        236⤵
        Checks computer location settings
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:452
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        237⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        238⤵
        Checks computer location settings
        
        PID:4156
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        240⤵
        UAC bypass
        Windows security modification
        System policy modification
        
        PID:2380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        241⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        242⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        243⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        244⤵
        Windows security modification
        
        PID:2000
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        245⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        246⤵
        Windows security bypass
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        248⤵
        Windows security bypass
        Checks computer location settings
        System policy modification
        
        PID:4460
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        249⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        250⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        251⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        252⤵
        Windows security bypass
        System policy modification
        
        PID:3688
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        253⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        254⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        255⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        256⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        257⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        258⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        259⤵
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        260⤵
        Windows security bypass
        
        PID:2980
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        261⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        262⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:2736
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        263⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        264⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:2164
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        265⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        266⤵
        UAC bypass
        Windows security bypass
        Windows security modification
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        268⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        269⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        270⤵
        Windows security modification
        System policy modification
        
        PID:2036
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        271⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        272⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        273⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        274⤵
        Windows security bypass
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        275⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        276⤵
        Windows security bypass
        System policy modification
        
        PID:2752
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        277⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        278⤵
        Checks computer location settings
        System policy modification
        
        PID:2128
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        279⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        280⤵
        UAC bypass
        
        PID:4012
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        282⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        283⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        284⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        285⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        286⤵
        Windows security bypass
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        287⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        288⤵
        Windows security modification
        Drops file in System32 directory
        System policy modification
        
        PID:3472
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        289⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        290⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        291⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        292⤵
        UAC bypass
        Windows security modification
        Checks whether UAC is enabled
        
        PID:3524
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        293⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        294⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        295⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        296⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        298⤵
        UAC bypass
        
        PID:2076
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        299⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        300⤵
        Windows security bypass
        
        PID:4328
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        301⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        302⤵
        Windows security modification
        
        PID:4288
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        303⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        304⤵
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        305⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        306⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3168
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        307⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        308⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        309⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        310⤵
        Checks whether UAC is enabled
        
        PID:2800
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        311⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        312⤵
        UAC bypass
        Checks computer location settings
        
        PID:3352
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        314⤵
        UAC bypass
        
        PID:2760
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        315⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        316⤵
        UAC bypass
        Checks whether UAC is enabled
        Drops file in System32 directory
        System policy modification
        
        PID:2960
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        317⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        318⤵
        Windows security modification
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        319⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        321⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        322⤵
        Windows security modification
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        323⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        324⤵
        UAC bypass
        Checks computer location settings
        Windows security modification
        System policy modification
        
        PID:2200
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        326⤵
        Windows security modification
        System policy modification
        
        PID:1556
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        327⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        328⤵
        System policy modification
        
        PID:4372
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        329⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        330⤵
        Windows security bypass
        Checks computer location settings
        Windows security modification
        System policy modification
        
        PID:4596
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        331⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        332⤵
        UAC bypass
        Checks computer location settings
        
        PID:3876
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        333⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        334⤵
        UAC bypass
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        335⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        336⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        337⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        338⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        339⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        340⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        342⤵
        Windows security bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        343⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        344⤵
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:400
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        345⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        346⤵
        Windows security bypass
        
        PID:840
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        347⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        348⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        349⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        350⤵
        UAC bypass
        Windows security bypass
        Windows security modification
        Checks whether UAC is enabled
        
        PID:2968
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        351⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        352⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        353⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        354⤵
        UAC bypass
        System policy modification
        
        PID:4956
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        355⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        356⤵
        Windows security modification
        Checks whether UAC is enabled
        
        PID:1792
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        357⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        358⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        359⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        360⤵
        
        PID:796
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        362⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        363⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        364⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        365⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        366⤵
        Windows security modification
        
        PID:2108
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        368⤵
        Windows security modification
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        369⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        370⤵
        UAC bypass
        Windows security bypass
        Checks whether UAC is enabled
        
        PID:3268
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        371⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        372⤵
        Windows security modification
        System policy modification
        
        PID:2856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        373⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        374⤵
        Windows security bypass
        Checks computer location settings
        
        PID:3324
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        375⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        376⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:2040
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        377⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        378⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        379⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        380⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        381⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        383⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        384⤵
        Checks computer location settings
        
        PID:4560
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        385⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        386⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        387⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        388⤵
        Checks computer location settings
        Windows security modification
        
        PID:644
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        389⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        390⤵
        Windows security modification
        
        PID:2908
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        391⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        392⤵
        Checks computer location settings
        Windows security modification
        System policy modification
        
        PID:3692
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        393⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        394⤵
        Windows security bypass
        Windows security modification
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:3040
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        395⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        396⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        397⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        398⤵
        Windows security bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3376
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        399⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        400⤵
        Checks whether UAC is enabled
        
        PID:1624
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        401⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        402⤵
        Windows security modification
        
        PID:1660
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        403⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        404⤵
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:3932
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        405⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        406⤵
        UAC bypass
        Windows security modification
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:4560
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        407⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        408⤵
        Windows security bypass
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        409⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        410⤵
        UAC bypass
        Windows security bypass
        System policy modification
        
        PID:1128
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        411⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        412⤵
        Checks computer location settings
        System policy modification
        
        PID:1808
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        413⤵
        
        PID:180
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        414⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        System policy modification
        
        PID:3852
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        415⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        416⤵
        Windows security modification
        System policy modification
        
        PID:5072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        417⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        418⤵
        Windows security bypass
        
        PID:4976
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        419⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        420⤵
        UAC bypass
        Checks computer location settings
        Windows security modification
        System policy modification
        
        PID:3140
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        421⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        422⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        423⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        424⤵
        Checks computer location settings
        
        PID:864
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        425⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        426⤵
        Windows security bypass
        Windows security modification
        Checks whether UAC is enabled
        
        PID:2068
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        427⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        428⤵
        UAC bypass
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        429⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        430⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        431⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        432⤵
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:388
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        433⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        434⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        435⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        436⤵
        Windows security bypass
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        437⤵
        
        PID:112
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        438⤵
        System policy modification
        
        PID:1924
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        439⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        440⤵
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        441⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        442⤵
        UAC bypass
        Checks whether UAC is enabled
        
        PID:2008
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        443⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        444⤵
        Windows security bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4448
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        445⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        446⤵
        Windows security bypass
        Checks computer location settings
        Checks whether UAC is enabled
        
        PID:3960
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        447⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        448⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:624
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        449⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        450⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        451⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        452⤵
        UAC bypass
        Windows security bypass
        Windows security modification
        
        PID:684
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        453⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        454⤵
        System policy modification
        
        PID:2868
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        455⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        456⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:1152
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        457⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        458⤵
        Checks computer location settings
        System policy modification
        
        PID:112
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        459⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        460⤵
        Windows security bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4540
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        461⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        462⤵
        Checks computer location settings
        System policy modification
        
        PID:2784
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\system32\Windows Update\Update.exe"
        463⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Windows Update\Update.exe
        
        "C:\Windows\SysWOW64\Windows Update\Update.exe"
        464⤵
        Windows security modification
        Checks whether UAC is enabled
        System policy modification
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry