darkcomet | 6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Size

902KB
MD5

9f5ee49de5c0c6c17509bf8877ea4c8d
SHA1

84388180e26d0db6c084188d21254f83e9bfed37
SHA256

6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a
SHA512

98ba3bd395883a30a1b87f8b12a67963c0737f9b25de7c784aa523392d7a97d7c10fe8ec7541e69ca5144ec11b30e0c66601386288910f193f5d69f79361c6f6
SSDEEP

24576:U0qrkHUeKVb8lc3IKQ2Z8qr92oZSX/2E67O9:U0qr63ah8M92Nl67O

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Executes dropped EXE 46 IoCs

pid	Process
2584	winupdate.exe
2876	winupdate.exe
2488	winupdate.exe
2544	winupdate.exe
572	winupdate.exe
2008	winupdate.exe
1704	winupdate.exe
1996	winupdate.exe
2124	winupdate.exe
1792	winupdate.exe
1256	winupdate.exe
1540	winupdate.exe
2100	winupdate.exe
880	winupdate.exe
2112	winupdate.exe
1712	winupdate.exe
2856	winupdate.exe
2776	winupdate.exe
2572	winupdate.exe
2788	winupdate.exe
2952	winupdate.exe
748	winupdate.exe
572	winupdate.exe
1992	winupdate.exe
1244	winupdate.exe
1544	winupdate.exe
2804	winupdate.exe
2892	winupdate.exe
2668	winupdate.exe
3032	winupdate.exe
1612	winupdate.exe
1400	winupdate.exe
2168	winupdate.exe
1228	winupdate.exe
1508	winupdate.exe
1520	winupdate.exe
2428	winupdate.exe
1644	winupdate.exe
2584	winupdate.exe
2872	winupdate.exe
2616	winupdate.exe
2240	winupdate.exe
1096	winupdate.exe
1492	winupdate.exe
112	winupdate.exe
1724	winupdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
2584	winupdate.exe
2584	winupdate.exe
2584	winupdate.exe
2584	winupdate.exe
2876	winupdate.exe
2876	winupdate.exe
2876	winupdate.exe
2876	winupdate.exe
2488	winupdate.exe
2488	winupdate.exe
2488	winupdate.exe
2488	winupdate.exe
2544	winupdate.exe
2544	winupdate.exe
2544	winupdate.exe
2544	winupdate.exe
572	winupdate.exe
572	winupdate.exe
572	winupdate.exe
572	winupdate.exe
2008	winupdate.exe
2008	winupdate.exe
2008	winupdate.exe
2008	winupdate.exe
1704	winupdate.exe
1704	winupdate.exe
1704	winupdate.exe
1704	winupdate.exe
1996	winupdate.exe
1996	winupdate.exe
1996	winupdate.exe
1996	winupdate.exe
2124	winupdate.exe
2124	winupdate.exe
2124	winupdate.exe
2124	winupdate.exe
1792	winupdate.exe
1792	winupdate.exe
1792	winupdate.exe
1792	winupdate.exe
1256	winupdate.exe
1256	winupdate.exe
1256	winupdate.exe
1256	winupdate.exe
1540	winupdate.exe
1540	winupdate.exe
1540	winupdate.exe
1540	winupdate.exe
2100	winupdate.exe
2100	winupdate.exe
2100	winupdate.exe
2100	winupdate.exe
880	winupdate.exe
880	winupdate.exe
880	winupdate.exe
880	winupdate.exe
2112	winupdate.exe
2112	winupdate.exe
2112	winupdate.exe
2112	winupdate.exe
1712	winupdate.exe
1712	winupdate.exe
1712	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2584 set thread context of 2876	2584	winupdate.exe	30
PID 2488 set thread context of 2544	2488	winupdate.exe	32
PID 572 set thread context of 2008	572	winupdate.exe	34
PID 1704 set thread context of 1996	1704	winupdate.exe	36
PID 2124 set thread context of 1792	2124	winupdate.exe	40
PID 1256 set thread context of 1540	1256	winupdate.exe	42
PID 2100 set thread context of 880	2100	winupdate.exe	44
PID 2856 set thread context of 2776	2856	winupdate.exe	48
PID 2572 set thread context of 2788	2572	winupdate.exe	50
PID 2952 set thread context of 748	2952	winupdate.exe	52
PID 572 set thread context of 1992	572	winupdate.exe	54
PID 1244 set thread context of 1544	1244	winupdate.exe	56
PID 2804 set thread context of 2892	2804	winupdate.exe	58
PID 2668 set thread context of 3032	2668	winupdate.exe	60
PID 1612 set thread context of 1400	1612	winupdate.exe	62
PID 2168 set thread context of 1228	2168	winupdate.exe	64
PID 1508 set thread context of 1520	1508	winupdate.exe	66
PID 2428 set thread context of 1644	2428	winupdate.exe	68
PID 2584 set thread context of 2872	2584	winupdate.exe	70
PID 2616 set thread context of 2240	2616	winupdate.exe	72
PID 1096 set thread context of 1492	1096	winupdate.exe	74
PID 112 set thread context of 1724	112	winupdate.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSecurityPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeTakeOwnershipPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeLoadDriverPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemProfilePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemtimePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeProfSingleProcessPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeIncBasePriorityPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeCreatePagefilePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeBackupPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeRestorePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeShutdownPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeDebugPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemEnvironmentPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeChangeNotifyPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeRemoteShutdownPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeUndockPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeManageVolumePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeImpersonatePrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeCreateGlobalPrivilege	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 33	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 34	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 35	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeIncreaseQuotaPrivilege	2876	winupdate.exe
Token: SeSecurityPrivilege	2876	winupdate.exe
Token: SeTakeOwnershipPrivilege	2876	winupdate.exe
Token: SeLoadDriverPrivilege	2876	winupdate.exe
Token: SeSystemProfilePrivilege	2876	winupdate.exe
Token: SeSystemtimePrivilege	2876	winupdate.exe
Token: SeProfSingleProcessPrivilege	2876	winupdate.exe
Token: SeIncBasePriorityPrivilege	2876	winupdate.exe
Token: SeCreatePagefilePrivilege	2876	winupdate.exe
Token: SeBackupPrivilege	2876	winupdate.exe
Token: SeRestorePrivilege	2876	winupdate.exe
Token: SeShutdownPrivilege	2876	winupdate.exe
Token: SeDebugPrivilege	2876	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2876	winupdate.exe
Token: SeChangeNotifyPrivilege	2876	winupdate.exe
Token: SeRemoteShutdownPrivilege	2876	winupdate.exe
Token: SeUndockPrivilege	2876	winupdate.exe
Token: SeManageVolumePrivilege	2876	winupdate.exe
Token: SeImpersonatePrivilege	2876	winupdate.exe
Token: SeCreateGlobalPrivilege	2876	winupdate.exe
Token: 33	2876	winupdate.exe
Token: 34	2876	winupdate.exe
Token: 35	2876	winupdate.exe
Token: SeRestorePrivilege	2876	winupdate.exe
Token: SeBackupPrivilege	2876	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2544	winupdate.exe
Token: SeSecurityPrivilege	2544	winupdate.exe
Token: SeTakeOwnershipPrivilege	2544	winupdate.exe
Token: SeLoadDriverPrivilege	2544	winupdate.exe
Token: SeSystemProfilePrivilege	2544	winupdate.exe
Token: SeSystemtimePrivilege	2544	winupdate.exe
Token: SeProfSingleProcessPrivilege	2544	winupdate.exe
Token: SeIncBasePriorityPrivilege	2544	winupdate.exe
Token: SeCreatePagefilePrivilege	2544	winupdate.exe
Token: SeBackupPrivilege	2544	winupdate.exe
Token: SeRestorePrivilege	2544	winupdate.exe
Token: SeShutdownPrivilege	2544	winupdate.exe
Token: SeDebugPrivilege	2544	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2544	winupdate.exe
Token: SeChangeNotifyPrivilege	2544	winupdate.exe
Token: SeRemoteShutdownPrivilege	2544	winupdate.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
2584	winupdate.exe
2488	winupdate.exe
572	winupdate.exe
1704	winupdate.exe
2124	winupdate.exe
1256	winupdate.exe
2100	winupdate.exe
2856	winupdate.exe
2572	winupdate.exe
2952	winupdate.exe
572	winupdate.exe
1244	winupdate.exe
2804	winupdate.exe
2668	winupdate.exe
1612	winupdate.exe
2168	winupdate.exe
1508	winupdate.exe
2428	winupdate.exe
2584	winupdate.exe
2616	winupdate.exe
1096	winupdate.exe
112	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2416 wrote to memory of 2916	2416	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	28
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2916 wrote to memory of 2584	2916	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	29
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2584 wrote to memory of 2876	2584	winupdate.exe	30
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2876 wrote to memory of 2488	2876	winupdate.exe	31
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32
PID 2488 wrote to memory of 2544	2488	winupdate.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\winupdate\winupdate.exe
    "C:\Windows\System32\winupdate\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\winupdate\winupdate.exe
      "C:\Windows\SysWOW64\winupdate\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2008
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1996
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1792
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1540
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:880
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1712
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2776
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2788
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:748
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1992
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1544
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2892
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3032
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1400
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1228
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1520
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1644
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2872
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2240
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1492
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        48⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\winupdate\winupdate.exe

Filesize
902KB

MD5
9f5ee49de5c0c6c17509bf8877ea4c8d

SHA1
84388180e26d0db6c084188d21254f83e9bfed37

SHA256
6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a

SHA512
98ba3bd395883a30a1b87f8b12a67963c0737f9b25de7c784aa523392d7a97d7c10fe8ec7541e69ca5144ec11b30e0c66601386288910f193f5d69f79361c6f6

Download Submit
memory/572-87-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/572-281-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/572-280-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/572-282-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/572-85-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/572-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/572-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/572-84-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/748-272-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/880-203-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/880-198-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/880-200-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/880-202-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/880-201-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/880-205-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/880-204-0x0000000004210000-0x0000000004222000-memory.dmp

Filesize
72KB

Download
memory/1256-171-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1256-170-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1256-179-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-176-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1256-172-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1256-166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1540-187-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1540-186-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1540-180-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1540-185-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1704-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1704-113-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1704-118-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1704-114-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1712-218-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1712-220-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1712-219-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1712-224-0x0000000004210000-0x0000000004222000-memory.dmp

Filesize
72KB

Download
memory/1712-238-0x0000000004210000-0x0000000004222000-memory.dmp

Filesize
72KB

Download
memory/1792-161-0x0000000004200000-0x0000000004212000-memory.dmp

Filesize
72KB

Download
memory/1792-162-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1792-150-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1792-156-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1792-159-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1792-158-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1792-153-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1792-157-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/1996-130-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1996-129-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/1996-133-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1996-132-0x0000000004240000-0x0000000004252000-memory.dmp

Filesize
72KB

Download
memory/1996-122-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1996-127-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1996-128-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/2008-100-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2008-105-0x0000000004200000-0x0000000004212000-memory.dmp

Filesize
72KB

Download
memory/2008-101-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2008-102-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2008-99-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2008-93-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2008-98-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2008-104-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2100-190-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2100-195-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2100-194-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2100-193-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2100-197-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-209-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2112-213-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2112-211-0x0000000077930000-0x0000000077A2A000-memory.dmp

Filesize
1000KB

Download
memory/2112-208-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-141-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2124-142-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2124-143-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2124-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2416-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2416-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-61-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2488-58-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2488-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2488-59-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2488-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2544-71-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2544-70-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2544-74-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2544-73-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2544-72-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2544-64-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2544-76-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2572-244-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2572-251-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2572-245-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2572-246-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2572-243-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2584-44-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2584-33-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2584-26-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2584-28-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2584-29-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2584-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2776-242-0x0000000004200000-0x0000000004212000-memory.dmp

Filesize
72KB

Download
memory/2776-237-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2788-254-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2788-274-0x0000000004210000-0x0000000004222000-memory.dmp

Filesize
72KB

Download
memory/2788-255-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2856-236-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2856-227-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2856-225-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2856-228-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2856-226-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2876-47-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2876-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2876-41-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2876-43-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2876-42-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2876-45-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2876-49-0x0000000004200000-0x0000000004212000-memory.dmp

Filesize
72KB

Download
memory/2916-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-6-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-8-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-3-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-4-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2916-15-0x00000000041E0000-0x00000000041F2000-memory.dmp

Filesize
72KB

Download
memory/2916-9-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2952-260-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-271-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-266-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2952-263-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2952-262-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download
memory/2952-261-0x0000000000020000-0x0000000000032000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads