metasploit | ef354f62f14cc9a691116807f73fab18a1ec3033c7dc415e701066b03d82e9fd

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
Size

154KB
MD5

bc94aaa11cb54dcf3c211af470b7ba4c
SHA1

8c3dbc8108ba0d2e36339286feea7d484550e48d
SHA256

ef354f62f14cc9a691116807f73fab18a1ec3033c7dc415e701066b03d82e9fd
SHA512

6b00faca670f989345da92ddd00580c2d637ffdb35258b799bbe43fd56fc74368ab9852d649823f73fd0809068a99ab8e9fc2f8a42e01f38026bedb52795865e
SSDEEP

3072:UjvopcI+YF+S+18Mwd/aujCuaa+HTNZob5y4KUxuX7FYvk5MN:UjYF+W7a3uHU6y4KBX7S85G

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2064	winupd01.exe

Executes dropped EXE 64 IoCs

pid	Process
2736	winupd01.exe
2064	winupd01.exe
2628	winupd01.exe
2088	winupd01.exe
2980	winupd01.exe
332	winupd01.exe
2060	winupd01.exe
620	winupd01.exe
1792	winupd01.exe
2204	winupd01.exe
408	winupd01.exe
2040	winupd01.exe
2352	winupd01.exe
1032	winupd01.exe
2380	winupd01.exe
2588	winupd01.exe
1596	winupd01.exe
316	winupd01.exe
1648	winupd01.exe
2992	winupd01.exe
2836	winupd01.exe
2768	winupd01.exe
2784	winupd01.exe
2384	winupd01.exe
2092	winupd01.exe
2692	winupd01.exe
2804	winupd01.exe
484	winupd01.exe
1756	winupd01.exe
2044	winupd01.exe
1188	winupd01.exe
2492	winupd01.exe
2496	winupd01.exe
1584	winupd01.exe
896	winupd01.exe
1520	winupd01.exe
728	winupd01.exe
2512	winupd01.exe
2256	winupd01.exe
876	winupd01.exe
292	winupd01.exe
1028	winupd01.exe
2756	winupd01.exe
2452	winupd01.exe
2640	winupd01.exe
3004	winupd01.exe
2668	winupd01.exe
2084	winupd01.exe
1968	winupd01.exe
2840	winupd01.exe
348	winupd01.exe
924	winupd01.exe
2212	winupd01.exe
1928	winupd01.exe
304	winupd01.exe
2548	winupd01.exe
860	winupd01.exe
1920	winupd01.exe
1768	winupd01.exe
2168	winupd01.exe
680	winupd01.exe
2468	winupd01.exe
1824	winupd01.exe
2832	winupd01.exe

Loads dropped DLL 64 IoCs

pid	Process
2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
2064	winupd01.exe
2064	winupd01.exe
2088	winupd01.exe
2088	winupd01.exe
332	winupd01.exe
332	winupd01.exe
620	winupd01.exe
620	winupd01.exe
2204	winupd01.exe
2204	winupd01.exe
2040	winupd01.exe
2040	winupd01.exe
1032	winupd01.exe
1032	winupd01.exe
2588	winupd01.exe
2588	winupd01.exe
316	winupd01.exe
316	winupd01.exe
2992	winupd01.exe
2992	winupd01.exe
2768	winupd01.exe
2768	winupd01.exe
2384	winupd01.exe
2384	winupd01.exe
2692	winupd01.exe
2692	winupd01.exe
484	winupd01.exe
484	winupd01.exe
2044	winupd01.exe
2044	winupd01.exe
2492	winupd01.exe
2492	winupd01.exe
1584	winupd01.exe
1584	winupd01.exe
1520	winupd01.exe
1520	winupd01.exe
2512	winupd01.exe
2512	winupd01.exe
876	winupd01.exe
876	winupd01.exe
1028	winupd01.exe
1028	winupd01.exe
2452	winupd01.exe
2452	winupd01.exe
3004	winupd01.exe
3004	winupd01.exe
2084	winupd01.exe
2084	winupd01.exe
2840	winupd01.exe
2840	winupd01.exe
924	winupd01.exe
924	winupd01.exe
1928	winupd01.exe
1928	winupd01.exe
2548	winupd01.exe
2548	winupd01.exe
1920	winupd01.exe
1920	winupd01.exe
2168	winupd01.exe
2168	winupd01.exe
2468	winupd01.exe
2468	winupd01.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File created	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe
File opened for modification	C:\Windows\SysWOW64\winupd01.exe	winupd01.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2736 set thread context of 2064	2736	winupd01.exe	34
PID 2628 set thread context of 2088	2628	winupd01.exe	36
PID 2980 set thread context of 332	2980	winupd01.exe	38
PID 2060 set thread context of 620	2060	winupd01.exe	40
PID 1792 set thread context of 2204	1792	winupd01.exe	42
PID 408 set thread context of 2040	408	winupd01.exe	44
PID 2352 set thread context of 1032	2352	winupd01.exe	46
PID 2380 set thread context of 2588	2380	winupd01.exe	48
PID 1596 set thread context of 316	1596	winupd01.exe	50
PID 1648 set thread context of 2992	1648	winupd01.exe	52
PID 2836 set thread context of 2768	2836	winupd01.exe	54
PID 2784 set thread context of 2384	2784	winupd01.exe	56
PID 2092 set thread context of 2692	2092	winupd01.exe	58
PID 2804 set thread context of 484	2804	winupd01.exe	60
PID 1756 set thread context of 2044	1756	winupd01.exe	62
PID 1188 set thread context of 2492	1188	winupd01.exe	64
PID 2496 set thread context of 1584	2496	winupd01.exe	66
PID 896 set thread context of 1520	896	winupd01.exe	68
PID 728 set thread context of 2512	728	winupd01.exe	70
PID 2256 set thread context of 876	2256	winupd01.exe	72
PID 292 set thread context of 1028	292	winupd01.exe	74
PID 2756 set thread context of 2452	2756	winupd01.exe	76
PID 2640 set thread context of 3004	2640	winupd01.exe	78
PID 2668 set thread context of 2084	2668	winupd01.exe	80
PID 1968 set thread context of 2840	1968	winupd01.exe	82
PID 348 set thread context of 924	348	winupd01.exe	84
PID 2212 set thread context of 1928	2212	winupd01.exe	86
PID 304 set thread context of 2548	304	winupd01.exe	88
PID 860 set thread context of 1920	860	winupd01.exe	90
PID 1768 set thread context of 2168	1768	winupd01.exe	92
PID 680 set thread context of 2468	680	winupd01.exe	94
PID 1824 set thread context of 2832	1824	winupd01.exe	97
PID 2988 set thread context of 2908	2988	winupd01.exe	99
PID 2736 set thread context of 2648	2736	winupd01.exe	101
PID 344 set thread context of 1276	344	winupd01.exe	103
PID 2260 set thread context of 2944	2260	winupd01.exe	105
PID 2508 set thread context of 2976	2508	winupd01.exe	107
PID 2244 set thread context of 2216	2244	winupd01.exe	109
PID 1752 set thread context of 1916	1752	winupd01.exe	111
PID 948 set thread context of 1636	948	winupd01.exe	113
PID 1612 set thread context of 1524	1612	winupd01.exe	115
PID 1676 set thread context of 1552	1676	winupd01.exe	117
PID 2520 set thread context of 2996	2520	winupd01.exe	119
PID 2332 set thread context of 2892	2332	winupd01.exe	121
PID 740 set thread context of 2724	740	winupd01.exe	123
PID 1608 set thread context of 1044	1608	winupd01.exe	125
PID 2952 set thread context of 2924	2952	winupd01.exe	127
PID 2712 set thread context of 2360	2712	winupd01.exe	129
PID 2240 set thread context of 2072	2240	winupd01.exe	131
PID 1624 set thread context of 444	1624	winupd01.exe	133
PID 844 set thread context of 1744	844	winupd01.exe	135
PID 1512 set thread context of 2196	1512	winupd01.exe	137
PID 928 set thread context of 1732	928	winupd01.exe	139
PID 856 set thread context of 1824	856	winupd01.exe	141
PID 2620 set thread context of 2852	2620	winupd01.exe	143
PID 2780 set thread context of 2876	2780	winupd01.exe	145
PID 936 set thread context of 1616	936	winupd01.exe	147
PID 1408 set thread context of 3044	1408	winupd01.exe	149
PID 2652 set thread context of 1212	2652	winupd01.exe	151
PID 3068 set thread context of 3020	3068	winupd01.exe	153
PID 1076 set thread context of 2496	1076	winupd01.exe	155
PID 844 set thread context of 2356	844	winupd01.exe	157
PID 1932 set thread context of 2884	1932	winupd01.exe	159

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-3-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-17-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-16-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-15-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-14-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-4-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-12-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2524-30-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-41-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-44-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-43-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2064-50-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2088-62-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2088-63-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2088-60-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2088-67-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/332-78-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/332-81-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/332-80-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/332-87-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/620-107-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2204-126-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2040-146-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1032-165-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2588-185-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/316-204-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2992-223-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2768-243-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2384-262-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2692-282-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/484-297-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2044-312-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2492-327-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1584-342-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1520-357-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2512-372-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/876-387-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1028-402-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2452-417-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3004-432-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2084-447-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2840-462-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/924-477-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1928-492-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2548-507-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1920-522-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2168-537-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2468-552-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2832-563-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2832-568-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2908-578-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2908-584-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2648-597-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2648-600-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1276-611-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1276-616-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2944-627-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2944-632-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2976-643-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2976-648-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2216-659-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2216-664-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1916-675-0x0000000000400000-0x0000000000463000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd01.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
2064	winupd01.exe
2088	winupd01.exe
332	winupd01.exe
620	winupd01.exe
2204	winupd01.exe
2040	winupd01.exe
1032	winupd01.exe
2588	winupd01.exe
316	winupd01.exe
2992	winupd01.exe
2768	winupd01.exe
2384	winupd01.exe
2692	winupd01.exe
484	winupd01.exe
2044	winupd01.exe
2492	winupd01.exe
1584	winupd01.exe
1520	winupd01.exe
2512	winupd01.exe
876	winupd01.exe
1028	winupd01.exe
2452	winupd01.exe
3004	winupd01.exe
2084	winupd01.exe
2840	winupd01.exe
924	winupd01.exe
1928	winupd01.exe
2548	winupd01.exe
1920	winupd01.exe
2168	winupd01.exe
2468	winupd01.exe
2832	winupd01.exe
2908	winupd01.exe
2648	winupd01.exe
1276	winupd01.exe
2944	winupd01.exe
2976	winupd01.exe
2216	winupd01.exe
1916	winupd01.exe
1636	winupd01.exe
1524	winupd01.exe
1552	winupd01.exe
2996	winupd01.exe
2892	winupd01.exe
2724	winupd01.exe
1044	winupd01.exe
2924	winupd01.exe
2360	winupd01.exe
2072	winupd01.exe
444	winupd01.exe
1744	winupd01.exe
2196	winupd01.exe
1732	winupd01.exe
1824	winupd01.exe
2852	winupd01.exe
2876	winupd01.exe
1616	winupd01.exe
3044	winupd01.exe
1212	winupd01.exe
3020	winupd01.exe
2496	winupd01.exe
2356	winupd01.exe
2884	winupd01.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
2736	winupd01.exe
2628	winupd01.exe
2980	winupd01.exe
2060	winupd01.exe
1792	winupd01.exe
408	winupd01.exe
2352	winupd01.exe
2380	winupd01.exe
1596	winupd01.exe
1648	winupd01.exe
2836	winupd01.exe
2784	winupd01.exe
2092	winupd01.exe
2804	winupd01.exe
1756	winupd01.exe
1188	winupd01.exe
2496	winupd01.exe
896	winupd01.exe
728	winupd01.exe
2256	winupd01.exe
292	winupd01.exe
2756	winupd01.exe
2640	winupd01.exe
2668	winupd01.exe
1968	winupd01.exe
348	winupd01.exe
2212	winupd01.exe
304	winupd01.exe
860	winupd01.exe
1768	winupd01.exe
680	winupd01.exe
1824	winupd01.exe
2988	winupd01.exe
2736	winupd01.exe
344	winupd01.exe
2260	winupd01.exe
2508	winupd01.exe
2244	winupd01.exe
1752	winupd01.exe
948	winupd01.exe
1612	winupd01.exe
1676	winupd01.exe
2520	winupd01.exe
2332	winupd01.exe
740	winupd01.exe
1608	winupd01.exe
2952	winupd01.exe
2712	winupd01.exe
2240	winupd01.exe
1624	winupd01.exe
844	winupd01.exe
1512	winupd01.exe
928	winupd01.exe
856	winupd01.exe
2620	winupd01.exe
2780	winupd01.exe
936	winupd01.exe
1408	winupd01.exe
2652	winupd01.exe
3068	winupd01.exe
1076	winupd01.exe
844	winupd01.exe
1932	winupd01.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2524	2420	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2736	2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2736	2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2736	2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2736	2524	bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe	33
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2736 wrote to memory of 2064	2736	winupd01.exe	34
PID 2064 wrote to memory of 2628	2064	winupd01.exe	35
PID 2064 wrote to memory of 2628	2064	winupd01.exe	35
PID 2064 wrote to memory of 2628	2064	winupd01.exe	35
PID 2064 wrote to memory of 2628	2064	winupd01.exe	35
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2628 wrote to memory of 2088	2628	winupd01.exe	36
PID 2088 wrote to memory of 2980	2088	winupd01.exe	37
PID 2088 wrote to memory of 2980	2088	winupd01.exe	37
PID 2088 wrote to memory of 2980	2088	winupd01.exe	37
PID 2088 wrote to memory of 2980	2088	winupd01.exe	37
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 2980 wrote to memory of 332	2980	winupd01.exe	38
PID 332 wrote to memory of 2060	332	winupd01.exe	39
PID 332 wrote to memory of 2060	332	winupd01.exe	39
PID 332 wrote to memory of 2060	332	winupd01.exe	39
PID 332 wrote to memory of 2060	332	winupd01.exe	39
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 2060 wrote to memory of 620	2060	winupd01.exe	40
PID 620 wrote to memory of 1792	620	winupd01.exe	41
PID 620 wrote to memory of 1792	620	winupd01.exe	41
PID 620 wrote to memory of 1792	620	winupd01.exe	41
PID 620 wrote to memory of 1792	620	winupd01.exe	41
PID 1792 wrote to memory of 2204	1792	winupd01.exe	42
PID 1792 wrote to memory of 2204	1792	winupd01.exe	42
PID 1792 wrote to memory of 2204	1792	winupd01.exe	42
PID 1792 wrote to memory of 2204	1792	winupd01.exe	42

C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bc94aaa11cb54dcf3c211af470b7ba4c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\winupd01.exe
    "C:\Windows\system32\winupd01.exe" C:\Users\Admin\AppData\Local\Temp\BC94AA~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\winupd01.exe
      "C:\Windows\system32\winupd01.exe" C:\Users\Admin\AppData\Local\Temp\BC94AA~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:408
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:484
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1920
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2468
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        66⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        68⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        74⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2944
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        78⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        80⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        82⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1636
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        86⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        90⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        94⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        96⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        98⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        100⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        102⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        104⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        105⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        106⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        112⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        118⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        120⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        121⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        124⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        125⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        128⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        129⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        132⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        133⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\winupd01.exe
        
        "C:\Windows\system32\winupd01.exe" C:\Windows\SysWOW64\winupd01.exe
        134⤵
        Drops file in System32 directory
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\winupd01.exe

Filesize
154KB

MD5
bc94aaa11cb54dcf3c211af470b7ba4c

SHA1
8c3dbc8108ba0d2e36339286feea7d484550e48d

SHA256
ef354f62f14cc9a691116807f73fab18a1ec3033c7dc415e701066b03d82e9fd

SHA512
6b00faca670f989345da92ddd00580c2d637ffdb35258b799bbe43fd56fc74368ab9852d649823f73fd0809068a99ab8e9fc2f8a42e01f38026bedb52795865e

Download Submit
memory/316-204-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/332-87-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/332-80-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/332-81-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/332-78-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/444-856-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/444-851-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/484-297-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/620-107-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/876-387-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/924-477-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1028-402-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1032-165-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1044-792-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1044-789-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1212-997-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1212-1000-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1276-611-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1276-616-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1520-357-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1524-707-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1524-712-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1552-723-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1552-728-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1584-342-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1616-965-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1616-968-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1636-696-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1636-691-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1732-899-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1732-904-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1744-867-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1744-872-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1824-915-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1824-920-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1916-680-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1916-675-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1920-522-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1928-492-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2040-146-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2044-312-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-50-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-41-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-44-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2064-43-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2072-835-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2072-840-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2084-447-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-60-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-62-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-63-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2088-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2168-537-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2196-882-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2196-888-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2204-126-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2216-664-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2216-659-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2356-1042-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2356-1048-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2360-819-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2360-824-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2384-262-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2420-13-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2452-417-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2468-552-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2492-327-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2496-1032-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2496-1027-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2512-372-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-15-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-3-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-17-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-16-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-0-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-4-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2524-30-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2548-507-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2588-185-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2628-61-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2648-600-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2648-597-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2692-282-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2724-776-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2724-773-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2736-42-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2768-243-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2832-563-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2832-568-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2840-462-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2852-930-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2852-936-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2876-952-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2876-949-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2884-1058-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2892-755-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2892-760-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2908-578-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2908-584-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-802-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2924-808-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2944-632-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2944-627-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2976-643-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2976-648-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2980-79-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2992-223-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2996-738-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2996-744-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3004-432-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3020-1011-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3020-1016-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3044-981-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3044-984-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download