Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 22:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
56150033.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
56150033.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
56150033.exe
-
Size
2.6MB
-
MD5
1e920633f69873d0a17572e035c3705d
-
SHA1
a45d913c71c79186e2fd60902177f82fd2ef6fdf
-
SHA256
5fc6d8ccc2bc6839c99ee4fee20050c488494d0f54ff64330380e928fa1ab9a3
-
SHA512
351578607b0504ed7d735fabc999f6d320cc571fe55e7ca721a4187976367ea93772e60ff5181451271189b8284351022c1bcab2735bb8510a17ff8d58f1c159
-
SSDEEP
49152:KzTzTzTzTzTzTzTzTzTzTzTzTzTzTzTz:MHHHHHHHHHHHHHHH
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4964 wuauolts.exe 820 wuauolts.exe 4472 wuauolts.exe 3932 wuauolts.exe 3356 wuauolts.exe 4056 wuauolts.exe 3476 wuauolts.exe 3544 wuauolts.exe 3632 wuauolts.exe 3104 wuauolts.exe 2912 wuauolts.exe 4348 wuauolts.exe 3336 wuauolts.exe 4948 wuauolts.exe 1820 wuauolts.exe 64 wuauolts.exe 4628 wuauolts.exe 4272 wuauolts.exe 2280 wuauolts.exe 4292 wuauolts.exe 1864 wuauolts.exe 4980 wuauolts.exe 4736 wuauolts.exe 1108 wuauolts.exe 2876 wuauolts.exe 4160 wuauolts.exe 4764 wuauolts.exe 3044 wuauolts.exe 748 wuauolts.exe 2056 wuauolts.exe 1824 wuauolts.exe 1144 wuauolts.exe 640 wuauolts.exe 2808 wuauolts.exe 3584 wuauolts.exe 5036 wuauolts.exe 3432 wuauolts.exe 4180 wuauolts.exe 1360 wuauolts.exe 3012 wuauolts.exe 1212 wuauolts.exe 2848 wuauolts.exe 2468 wuauolts.exe 436 wuauolts.exe 3884 wuauolts.exe 2096 wuauolts.exe 3192 wuauolts.exe 3688 wuauolts.exe 4368 wuauolts.exe 2208 wuauolts.exe 3924 wuauolts.exe 5068 wuauolts.exe 4612 wuauolts.exe 1664 wuauolts.exe 4960 wuauolts.exe 2696 wuauolts.exe 4556 wuauolts.exe 4072 wuauolts.exe 2780 wuauolts.exe 4860 wuauolts.exe 3048 wuauolts.exe 2312 wuauolts.exe 1612 wuauolts.exe 4880 wuauolts.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: wuauolts.exe File opened (read-only) \??\j: wuauolts.exe File opened (read-only) \??\p: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\i: wuauolts.exe File opened (read-only) \??\m: wuauolts.exe File opened (read-only) \??\y: wuauolts.exe File opened (read-only) \??\p: Process not Found File opened (read-only) \??\s: wuauolts.exe File opened (read-only) \??\l: Process not Found File opened (read-only) \??\e: Process not Found File opened (read-only) \??\z: Process not Found File opened (read-only) \??\l: Process not Found File opened (read-only) \??\z: Process not Found File opened (read-only) \??\x: wuauolts.exe File opened (read-only) \??\v: wuauolts.exe File opened (read-only) \??\m: wuauolts.exe File opened (read-only) \??\g: Process not Found File opened (read-only) \??\x: Process not Found File opened (read-only) \??\l: Process not Found File opened (read-only) \??\i: wuauolts.exe File opened (read-only) \??\v: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\j: Process not Found File opened (read-only) \??\r: wuauolts.exe File opened (read-only) \??\y: wuauolts.exe File opened (read-only) \??\x: Process not Found File opened (read-only) \??\q: Process not Found File opened (read-only) \??\o: Process not Found File opened (read-only) \??\i: Process not Found File opened (read-only) \??\z: wuauolts.exe File opened (read-only) \??\w: Process not Found File opened (read-only) \??\q: Process not Found File opened (read-only) \??\l: Process not Found File opened (read-only) \??\l: Process not Found File opened (read-only) \??\j: Process not Found File opened (read-only) \??\z: wuauolts.exe File opened (read-only) \??\j: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\l: Process not Found File opened (read-only) \??\n: Process not Found File opened (read-only) \??\r: Process not Found File opened (read-only) \??\x: wuauolts.exe File opened (read-only) \??\h: wuauolts.exe File opened (read-only) \??\h: wuauolts.exe File opened (read-only) \??\o: Process not Found File opened (read-only) \??\x: Process not Found File opened (read-only) \??\v: Process not Found File opened (read-only) \??\e: Process not Found File opened (read-only) \??\h: Process not Found File opened (read-only) \??\v: wuauolts.exe File opened (read-only) \??\t: wuauolts.exe File opened (read-only) \??\v: wuauolts.exe File opened (read-only) \??\w: Process not Found File opened (read-only) \??\t: Process not Found File opened (read-only) \??\y: Process not Found File opened (read-only) \??\n: Process not Found File opened (read-only) \??\g: Process not Found File opened (read-only) \??\m: wuauolts.exe File opened (read-only) \??\e: wuauolts.exe File opened (read-only) \??\r: Process not Found File opened (read-only) \??\x: Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe Process not Found File created C:\Windows\SysWOW64\wuauolts.exe wuauolts.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 1376 56150033.exe 4964 wuauolts.exe 820 wuauolts.exe 4472 wuauolts.exe 3932 wuauolts.exe 3356 wuauolts.exe 4056 wuauolts.exe 3476 wuauolts.exe 3544 wuauolts.exe 3632 wuauolts.exe 3104 wuauolts.exe 2912 wuauolts.exe 4348 wuauolts.exe 3336 wuauolts.exe 4948 wuauolts.exe 1820 wuauolts.exe 64 wuauolts.exe 4628 wuauolts.exe 4272 wuauolts.exe 2280 wuauolts.exe 4292 wuauolts.exe 1864 wuauolts.exe 4980 wuauolts.exe 4736 wuauolts.exe 1108 wuauolts.exe 2876 wuauolts.exe 4160 wuauolts.exe 4764 wuauolts.exe 3044 wuauolts.exe 748 wuauolts.exe 2056 wuauolts.exe 1824 wuauolts.exe 1144 wuauolts.exe 640 wuauolts.exe 2808 wuauolts.exe 3584 wuauolts.exe 5036 wuauolts.exe 3432 wuauolts.exe 4180 wuauolts.exe 1360 wuauolts.exe 3012 wuauolts.exe 1212 wuauolts.exe 2848 wuauolts.exe 2468 wuauolts.exe 436 wuauolts.exe 3884 wuauolts.exe 2096 wuauolts.exe 3192 wuauolts.exe 3688 wuauolts.exe 4368 wuauolts.exe 2208 wuauolts.exe 3924 wuauolts.exe 5068 wuauolts.exe 4612 wuauolts.exe 1664 wuauolts.exe 4960 wuauolts.exe 2696 wuauolts.exe 4556 wuauolts.exe 4072 wuauolts.exe 2780 wuauolts.exe 4860 wuauolts.exe 3048 wuauolts.exe 2312 wuauolts.exe 1612 wuauolts.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wuauolts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1376 wrote to memory of 4964 1376 56150033.exe 81 PID 1376 wrote to memory of 4964 1376 56150033.exe 81 PID 1376 wrote to memory of 4964 1376 56150033.exe 81 PID 4964 wrote to memory of 820 4964 wuauolts.exe 82 PID 4964 wrote to memory of 820 4964 wuauolts.exe 82 PID 4964 wrote to memory of 820 4964 wuauolts.exe 82 PID 820 wrote to memory of 4472 820 wuauolts.exe 83 PID 820 wrote to memory of 4472 820 wuauolts.exe 83 PID 820 wrote to memory of 4472 820 wuauolts.exe 83 PID 4472 wrote to memory of 3932 4472 wuauolts.exe 84 PID 4472 wrote to memory of 3932 4472 wuauolts.exe 84 PID 4472 wrote to memory of 3932 4472 wuauolts.exe 84 PID 3932 wrote to memory of 3356 3932 wuauolts.exe 85 PID 3932 wrote to memory of 3356 3932 wuauolts.exe 85 PID 3932 wrote to memory of 3356 3932 wuauolts.exe 85 PID 3356 wrote to memory of 4056 3356 wuauolts.exe 86 PID 3356 wrote to memory of 4056 3356 wuauolts.exe 86 PID 3356 wrote to memory of 4056 3356 wuauolts.exe 86 PID 4056 wrote to memory of 3476 4056 wuauolts.exe 87 PID 4056 wrote to memory of 3476 4056 wuauolts.exe 87 PID 4056 wrote to memory of 3476 4056 wuauolts.exe 87 PID 3476 wrote to memory of 3544 3476 wuauolts.exe 88 PID 3476 wrote to memory of 3544 3476 wuauolts.exe 88 PID 3476 wrote to memory of 3544 3476 wuauolts.exe 88 PID 3544 wrote to memory of 3632 3544 wuauolts.exe 89 PID 3544 wrote to memory of 3632 3544 wuauolts.exe 89 PID 3544 wrote to memory of 3632 3544 wuauolts.exe 89 PID 3632 wrote to memory of 3104 3632 wuauolts.exe 90 PID 3632 wrote to memory of 3104 3632 wuauolts.exe 90 PID 3632 wrote to memory of 3104 3632 wuauolts.exe 90 PID 3104 wrote to memory of 2912 3104 wuauolts.exe 91 PID 3104 wrote to memory of 2912 3104 wuauolts.exe 91 PID 3104 wrote to memory of 2912 3104 wuauolts.exe 91 PID 2912 wrote to memory of 4348 2912 wuauolts.exe 92 PID 2912 wrote to memory of 4348 2912 wuauolts.exe 92 PID 2912 wrote to memory of 4348 2912 wuauolts.exe 92 PID 4348 wrote to memory of 3336 4348 wuauolts.exe 93 PID 4348 wrote to memory of 3336 4348 wuauolts.exe 93 PID 4348 wrote to memory of 3336 4348 wuauolts.exe 93 PID 3336 wrote to memory of 4948 3336 wuauolts.exe 94 PID 3336 wrote to memory of 4948 3336 wuauolts.exe 94 PID 3336 wrote to memory of 4948 3336 wuauolts.exe 94 PID 4948 wrote to memory of 1820 4948 wuauolts.exe 95 PID 4948 wrote to memory of 1820 4948 wuauolts.exe 95 PID 4948 wrote to memory of 1820 4948 wuauolts.exe 95 PID 1820 wrote to memory of 64 1820 wuauolts.exe 96 PID 1820 wrote to memory of 64 1820 wuauolts.exe 96 PID 1820 wrote to memory of 64 1820 wuauolts.exe 96 PID 64 wrote to memory of 4628 64 wuauolts.exe 97 PID 64 wrote to memory of 4628 64 wuauolts.exe 97 PID 64 wrote to memory of 4628 64 wuauolts.exe 97 PID 4628 wrote to memory of 4272 4628 wuauolts.exe 98 PID 4628 wrote to memory of 4272 4628 wuauolts.exe 98 PID 4628 wrote to memory of 4272 4628 wuauolts.exe 98 PID 4272 wrote to memory of 2280 4272 wuauolts.exe 99 PID 4272 wrote to memory of 2280 4272 wuauolts.exe 99 PID 4272 wrote to memory of 2280 4272 wuauolts.exe 99 PID 2280 wrote to memory of 4292 2280 wuauolts.exe 100 PID 2280 wrote to memory of 4292 2280 wuauolts.exe 100 PID 2280 wrote to memory of 4292 2280 wuauolts.exe 100 PID 4292 wrote to memory of 1864 4292 wuauolts.exe 101 PID 4292 wrote to memory of 1864 4292 wuauolts.exe 101 PID 4292 wrote to memory of 1864 4292 wuauolts.exe 101 PID 1864 wrote to memory of 4980 1864 wuauolts.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\56150033.exe"C:\Users\Admin\AppData\Local\Temp\56150033.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe10⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe11⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe12⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe13⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe15⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe16⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe17⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe18⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe19⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe20⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe21⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe22⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe23⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4980 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe24⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4736 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe25⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1108 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe26⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2876 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe27⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4160 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe28⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4764 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe29⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3044 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe30⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:748 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe31⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2056 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe32⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1824 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe33⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1144 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe34⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:640 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe35⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2808 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe36⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3584 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe37⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe38⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3432 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe39⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4180 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe40⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1360 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe41⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3012 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe42⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1212 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe43⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2848 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe44⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2468 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe45⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:436 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe46⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3884 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe47⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2096 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe48⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3192 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe49⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3688 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe50⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4368 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe51⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2208 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe52⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3924 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe53⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5068 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe54⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4612 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe55⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1664 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe56⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4960 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe57⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2696 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe58⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4556 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe59⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4072 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe60⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2780 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe61⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4860 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe62⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe63⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2312 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe64⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe65⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe66⤵PID:4788
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe67⤵PID:2688
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe68⤵PID:2284
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe69⤵PID:5132
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe70⤵PID:5164
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe71⤵PID:5196
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe72⤵PID:5228
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe73⤵PID:5260
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe74⤵PID:5292
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe75⤵PID:5324
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe76⤵PID:5356
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe77⤵PID:5388
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe78⤵PID:5420
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe79⤵PID:5452
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe80⤵
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe81⤵PID:5516
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe82⤵PID:5548
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe83⤵PID:5580
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe84⤵PID:5612
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe85⤵PID:5644
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe86⤵PID:5676
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe87⤵PID:5708
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe88⤵PID:5740
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe89⤵PID:5772
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe90⤵PID:5804
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe91⤵PID:5836
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe92⤵PID:5868
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe93⤵PID:5900
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe94⤵PID:5932
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe95⤵PID:5964
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe96⤵PID:5996
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe97⤵PID:6028
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe99⤵PID:6092
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe100⤵PID:6124
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe101⤵PID:2524
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe102⤵PID:4908
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe103⤵PID:4944
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe104⤵PID:3264
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe105⤵PID:4344
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe106⤵PID:5176
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe107⤵PID:5248
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe108⤵PID:5304
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe109⤵PID:5380
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe110⤵PID:5464
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe111⤵PID:5508
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe112⤵PID:2816
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe113⤵PID:3016
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe114⤵PID:5664
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe115⤵PID:5752
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe116⤵PID:5824
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe117⤵PID:5880
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe118⤵PID:5952
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe119⤵PID:6020
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe120⤵PID:6112
-
C:\Windows\SysWOW64\wuauolts.exeC:\Windows\system32\wuauolts.exe121⤵PID:4532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-