darkcomet | 09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Size

1.3MB
MD5

ae1a4ed9fdf3d21b149b05ca0173ca31
SHA1

efedb00400642be3a9aae8647ec4aa72fb505917
SHA256

09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1
SHA512

ca0562dcbc315090d006ff2c09555a8c9e3dbb2ac474d1c57a07d1a38cb472cd9a681dc70a46f772a16f9d2d14bdb15d81b0bc98066c01a0d89f449bf6d51bb1
SSDEEP

24576:YNhT2DtCMtThZG1r9xoGY+kgmzbp0hDQqLuyYWxy:MDQojLYMm/pEDDLuWxy

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe,C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 46 IoCs

pid	Process
60	winupdate.exe
5108	winupdate.exe
64	winupdate.exe
4024	winupdate.exe
4276	winupdate.exe
2884	winupdate.exe
1220	winupdate.exe
3516	winupdate.exe
4820	winupdate.exe
4604	winupdate.exe
4620	winupdate.exe
1404	winupdate.exe
1056	winupdate.exe
64	winupdate.exe
804	winupdate.exe
3964	winupdate.exe
3500	winupdate.exe
2428	winupdate.exe
4448	winupdate.exe
4804	winupdate.exe
1068	winupdate.exe
4088	winupdate.exe
3592	winupdate.exe
4352	winupdate.exe
1620	winupdate.exe
1560	winupdate.exe
2880	winupdate.exe
2296	winupdate.exe
2232	winupdate.exe
3236	winupdate.exe
1592	winupdate.exe
4748	winupdate.exe
4420	winupdate.exe
2576	winupdate.exe
1288	winupdate.exe
3160	winupdate.exe
2260	winupdate.exe
2520	winupdate.exe
60	winupdate.exe
1416	winupdate.exe
804	winupdate.exe
2292	winupdate.exe
3248	winupdate.exe
1600	winupdate.exe
4144	winupdate.exe
5072	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windowsupdate\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windowsupdate\	winupdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3592	winupdate.exe
2880	winupdate.exe
4420	winupdate.exe
60	winupdate.exe
804	winupdate.exe
3248	winupdate.exe
4144	winupdate.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 60 set thread context of 5108	60	winupdate.exe	90
PID 64 set thread context of 4024	64	winupdate.exe	99
PID 4276 set thread context of 2884	4276	winupdate.exe	104
PID 1220 set thread context of 3516	1220	winupdate.exe	108
PID 4820 set thread context of 4604	4820	winupdate.exe	115
PID 4620 set thread context of 1404	4620	winupdate.exe	120
PID 1056 set thread context of 64	1056	winupdate.exe	125
PID 804 set thread context of 3964	804	winupdate.exe	130
PID 3500 set thread context of 2428	3500	winupdate.exe	135
PID 4448 set thread context of 4804	4448	winupdate.exe	140
PID 1068 set thread context of 4088	1068	winupdate.exe	145
PID 3592 set thread context of 4352	3592	winupdate.exe	150
PID 1620 set thread context of 1560	1620	winupdate.exe	155
PID 2880 set thread context of 2296	2880	winupdate.exe	161
PID 2232 set thread context of 3236	2232	winupdate.exe	165
PID 1592 set thread context of 4748	1592	winupdate.exe	170
PID 4420 set thread context of 2576	4420	winupdate.exe	175
PID 1288 set thread context of 3160	1288	winupdate.exe	180
PID 2260 set thread context of 2520	2260	winupdate.exe	185
PID 60 set thread context of 1416	60	winupdate.exe	190
PID 804 set thread context of 2292	804	winupdate.exe	196
PID 3248 set thread context of 1600	3248	winupdate.exe	200
PID 4144 set thread context of 5072	4144	winupdate.exe	205

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 23 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1416	PING.EXE
1696	PING.EXE
4836	PING.EXE
4996	PING.EXE
628	PING.EXE
4744	PING.EXE
1856	PING.EXE
5116	PING.EXE
3344	PING.EXE
948	PING.EXE
2780	PING.EXE
5008	PING.EXE
3992	PING.EXE
716	PING.EXE
1356	PING.EXE
2668	PING.EXE
4868	PING.EXE
1788	PING.EXE
5036	PING.EXE
2936	PING.EXE
112	PING.EXE
4484	PING.EXE
1308	PING.EXE

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
4868	PING.EXE
1856	PING.EXE
4484	PING.EXE
5008	PING.EXE
2668	PING.EXE
628	PING.EXE
4836	PING.EXE
5116	PING.EXE
716	PING.EXE
1416	PING.EXE
1308	PING.EXE
948	PING.EXE
2780	PING.EXE
3344	PING.EXE
1788	PING.EXE
5036	PING.EXE
2936	PING.EXE
4744	PING.EXE
112	PING.EXE
1696	PING.EXE
1356	PING.EXE
3992	PING.EXE
4996	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSecurityPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeBackupPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeRestorePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeShutdownPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeDebugPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeUndockPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 33	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 34	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 35	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: 36	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	5108	winupdate.exe
Token: SeSecurityPrivilege	5108	winupdate.exe
Token: SeTakeOwnershipPrivilege	5108	winupdate.exe
Token: SeLoadDriverPrivilege	5108	winupdate.exe
Token: SeSystemProfilePrivilege	5108	winupdate.exe
Token: SeSystemtimePrivilege	5108	winupdate.exe
Token: SeProfSingleProcessPrivilege	5108	winupdate.exe
Token: SeIncBasePriorityPrivilege	5108	winupdate.exe
Token: SeCreatePagefilePrivilege	5108	winupdate.exe
Token: SeBackupPrivilege	5108	winupdate.exe
Token: SeRestorePrivilege	5108	winupdate.exe
Token: SeShutdownPrivilege	5108	winupdate.exe
Token: SeDebugPrivilege	5108	winupdate.exe
Token: SeSystemEnvironmentPrivilege	5108	winupdate.exe
Token: SeChangeNotifyPrivilege	5108	winupdate.exe
Token: SeRemoteShutdownPrivilege	5108	winupdate.exe
Token: SeUndockPrivilege	5108	winupdate.exe
Token: SeManageVolumePrivilege	5108	winupdate.exe
Token: SeImpersonatePrivilege	5108	winupdate.exe
Token: SeCreateGlobalPrivilege	5108	winupdate.exe
Token: 33	5108	winupdate.exe
Token: 34	5108	winupdate.exe
Token: 35	5108	winupdate.exe
Token: 36	5108	winupdate.exe
Token: SeIncreaseQuotaPrivilege	4024	winupdate.exe
Token: SeSecurityPrivilege	4024	winupdate.exe
Token: SeTakeOwnershipPrivilege	4024	winupdate.exe
Token: SeLoadDriverPrivilege	4024	winupdate.exe
Token: SeSystemProfilePrivilege	4024	winupdate.exe
Token: SeSystemtimePrivilege	4024	winupdate.exe
Token: SeProfSingleProcessPrivilege	4024	winupdate.exe
Token: SeIncBasePriorityPrivilege	4024	winupdate.exe
Token: SeCreatePagefilePrivilege	4024	winupdate.exe
Token: SeBackupPrivilege	4024	winupdate.exe
Token: SeRestorePrivilege	4024	winupdate.exe
Token: SeShutdownPrivilege	4024	winupdate.exe
Token: SeDebugPrivilege	4024	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4024	winupdate.exe
Token: SeChangeNotifyPrivilege	4024	winupdate.exe
Token: SeRemoteShutdownPrivilege	4024	winupdate.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
60	winupdate.exe
60	winupdate.exe
64	winupdate.exe
64	winupdate.exe
4276	winupdate.exe
4276	winupdate.exe
1220	winupdate.exe
1220	winupdate.exe
4820	winupdate.exe
4820	winupdate.exe
4620	winupdate.exe
4620	winupdate.exe
1056	winupdate.exe
1056	winupdate.exe
804	winupdate.exe
804	winupdate.exe
3500	winupdate.exe
3500	winupdate.exe
4448	winupdate.exe
4448	winupdate.exe
1068	winupdate.exe
1068	winupdate.exe
3592	winupdate.exe
3592	winupdate.exe
1620	winupdate.exe
1620	winupdate.exe
2880	winupdate.exe
2880	winupdate.exe
2232	winupdate.exe
2232	winupdate.exe
1592	winupdate.exe
1592	winupdate.exe
4420	winupdate.exe
4420	winupdate.exe
1288	winupdate.exe
1288	winupdate.exe
2260	winupdate.exe
2260	winupdate.exe
60	winupdate.exe
60	winupdate.exe
804	winupdate.exe
804	winupdate.exe
3248	winupdate.exe
3248	winupdate.exe
4144	winupdate.exe
4144	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 3224 wrote to memory of 4076	3224	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	82
PID 4076 wrote to memory of 60	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	87
PID 4076 wrote to memory of 60	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	87
PID 4076 wrote to memory of 60	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	87
PID 4076 wrote to memory of 4656	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	88
PID 4076 wrote to memory of 4656	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	88
PID 4076 wrote to memory of 4656	4076	ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe	88
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 60 wrote to memory of 5108	60	winupdate.exe	90
PID 4656 wrote to memory of 1788	4656	cmd.exe	91
PID 4656 wrote to memory of 1788	4656	cmd.exe	91
PID 4656 wrote to memory of 1788	4656	cmd.exe	91
PID 5108 wrote to memory of 64	5108	winupdate.exe	95
PID 5108 wrote to memory of 64	5108	winupdate.exe	95
PID 5108 wrote to memory of 64	5108	winupdate.exe	95
PID 5108 wrote to memory of 1896	5108	winupdate.exe	96
PID 5108 wrote to memory of 1896	5108	winupdate.exe	96
PID 5108 wrote to memory of 1896	5108	winupdate.exe	96
PID 1896 wrote to memory of 5036	1896	cmd.exe	98
PID 1896 wrote to memory of 5036	1896	cmd.exe	98
PID 1896 wrote to memory of 5036	1896	cmd.exe	98
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 64 wrote to memory of 4024	64	winupdate.exe	99
PID 4024 wrote to memory of 4276	4024	winupdate.exe	100
PID 4024 wrote to memory of 4276	4024	winupdate.exe	100
PID 4024 wrote to memory of 4276	4024	winupdate.exe	100
PID 4024 wrote to memory of 4644	4024	winupdate.exe	101

C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\ae1a4ed9fdf3d21b149b05ca0173ca31_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
    "C:\Windows\system32\Windowsupdate\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:64
      - C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4448
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4420
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        48⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Windowsupdate\winupdate.exe
        
        "C:\Windows\system32\Windowsupdate\winupdate.exe"
        49⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        49⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        48⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        46⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        44⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        41⤵
        
        PID:452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        40⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        37⤵
        
        PID:940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        38⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        36⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        33⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        32⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        30⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        26⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        19⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        15⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
82B

MD5
161109f79808cfb6a41a419e9c0e94a8

SHA1
9e8191ceeaaa07868efe2a90ad9179902509c6e2

SHA256
1f0311b2dfc1ef35e51cd0271e0e6af6549fe3a3089a9cdc9ad3568cd424523a

SHA512
6c3b41b0ddf7cf86b2faf7583dbff9a752d9545c7028359378911d4244186f66e403547aad6e10fb7ad1cc56bdad9943f4b934f88d78de6b6d36f0d3163d31ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
119B

MD5
309a4c299bfde9b63b5d388b17eb36fc

SHA1
84a88f3bf02e61919ffdfabeb6011a0da7929148

SHA256
88a34b8e11bbdec1cba4c4e1fa57fc5a6259df0fc1e4f127fa25b2d31b1fedf8

SHA512
df38c0cd6241fb7e50be44b7a6e2a57ed42165c48e6f7b372f23b1c4c1ef2f106d99d911256d0f87587567350a9d25e9017995a9e216e959fe6b406852ab6395

Download Submit
C:\Windows\SysWOW64\Windowsupdate\winupdate.exe

Filesize
1.3MB

MD5
ae1a4ed9fdf3d21b149b05ca0173ca31

SHA1
efedb00400642be3a9aae8647ec4aa72fb505917

SHA256
09ca89cac8dc7d77aebe7c5de08379d6546be00d799decf59bfee7dce0bbe0b1

SHA512
ca0562dcbc315090d006ff2c09555a8c9e3dbb2ac474d1c57a07d1a38cb472cd9a681dc70a46f772a16f9d2d14bdb15d81b0bc98066c01a0d89f449bf6d51bb1

Download Submit
\??\c:\users\admin\appdata\local\temp\724DC897

Filesize
14B

MD5
f8e17c19aa9c15af562cf385da2e313f

SHA1
fcf9001b781e05f2c50beb83b71eb7e10b64a03d

SHA256
4605f4aa5b91a98eccb97af1db025aaf870a10e022d91551e59b5197c877329a

SHA512
e038acee744bd055b225681651d0d79fb3c1af147fb8f9c4795936427bd23792f39f36c17ed8fdf29c5573715c0f21c17bd193e71c47c151c95e63acb53c4c25

Download Submit
memory/60-455-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/60-83-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/60-81-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/60-77-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/60-91-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/64-113-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/64-97-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/64-105-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/64-104-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/804-239-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/804-471-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/804-223-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1056-217-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1056-202-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1068-283-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1068-300-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1220-146-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1220-147-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1220-138-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1220-156-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1288-424-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1288-410-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1400-509-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1404-204-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1404-194-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1404-198-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1592-391-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/1620-342-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2232-375-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2260-440-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2880-359-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/2884-132-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2884-141-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2884-135-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3224-9-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3224-0-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3224-3-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3224-2-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3248-487-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3500-260-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/3516-152-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3516-155-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3516-162-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3592-322-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4024-119-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4024-111-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4024-114-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-12-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-13-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-11-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-10-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-7-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-6-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4076-82-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4144-492-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4144-505-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4276-125-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4276-134-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4276-126-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4276-122-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4420-407-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4448-280-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4604-174-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4604-183-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4604-177-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4620-197-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4620-189-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4620-188-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4620-181-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4820-167-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4820-176-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4820-168-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/4820-160-0x0000000000400000-0x000000000079A000-memory.dmp

Filesize
3.6MB

Download
memory/5108-99-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/5108-92-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/5108-90-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads