darkcomet | 6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Size

902KB
MD5

9f5ee49de5c0c6c17509bf8877ea4c8d
SHA1

84388180e26d0db6c084188d21254f83e9bfed37
SHA256

6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a
SHA512

98ba3bd395883a30a1b87f8b12a67963c0737f9b25de7c784aa523392d7a97d7c10fe8ec7541e69ca5144ec11b30e0c66601386288910f193f5d69f79361c6f6
SSDEEP

24576:U0qrkHUeKVb8lc3IKQ2Z8qr92oZSX/2E67O9:U0qr63ah8M92Nl67O

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe,C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 46 IoCs

pid	Process
4776	winupdate.exe
4668	winupdate.exe
500	winupdate.exe
2148	winupdate.exe
4468	winupdate.exe
460	winupdate.exe
648	winupdate.exe
3064	winupdate.exe
212	winupdate.exe
3236	winupdate.exe
2272	winupdate.exe
4780	winupdate.exe
2772	winupdate.exe
4604	winupdate.exe
2208	winupdate.exe
4840	winupdate.exe
1348	winupdate.exe
4476	winupdate.exe
4240	winupdate.exe
228	winupdate.exe
1716	winupdate.exe
1264	winupdate.exe
888	winupdate.exe
1688	winupdate.exe
2320	winupdate.exe
5064	winupdate.exe
4312	winupdate.exe
3184	winupdate.exe
1204	winupdate.exe
3084	winupdate.exe
1912	winupdate.exe
3080	winupdate.exe
5096	winupdate.exe
824	winupdate.exe
2636	winupdate.exe
1824	winupdate.exe
1348	winupdate.exe
2956	winupdate.exe
2856	winupdate.exe
4336	winupdate.exe
1464	winupdate.exe
1208	winupdate.exe
4268	winupdate.exe
2072	winupdate.exe
4588	winupdate.exe
4784	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\\\winupdate\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\winupdate\	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 24 IoCs

description	pid	Process	procid_target
PID 4456 set thread context of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4776 set thread context of 4668	4776	winupdate.exe	86
PID 500 set thread context of 2148	500	winupdate.exe	92
PID 4468 set thread context of 460	4468	winupdate.exe	97
PID 648 set thread context of 3064	648	winupdate.exe	99
PID 212 set thread context of 3236	212	winupdate.exe	102
PID 2272 set thread context of 4780	2272	winupdate.exe	105
PID 2772 set thread context of 4604	2772	winupdate.exe	107
PID 2208 set thread context of 4840	2208	winupdate.exe	109
PID 1348 set thread context of 4476	1348	winupdate.exe	111
PID 4240 set thread context of 228	4240	winupdate.exe	113
PID 1716 set thread context of 1264	1716	winupdate.exe	115
PID 888 set thread context of 1688	888	winupdate.exe	117
PID 2320 set thread context of 5064	2320	winupdate.exe	119
PID 4312 set thread context of 3184	4312	winupdate.exe	121
PID 1204 set thread context of 3084	1204	winupdate.exe	123
PID 1912 set thread context of 3080	1912	winupdate.exe	125
PID 5096 set thread context of 824	5096	winupdate.exe	127
PID 2636 set thread context of 1824	2636	winupdate.exe	129
PID 1348 set thread context of 2956	1348	winupdate.exe	131
PID 2856 set thread context of 4336	2856	winupdate.exe	133
PID 1464 set thread context of 1208	1464	winupdate.exe	135
PID 4268 set thread context of 2072	4268	winupdate.exe	137
PID 4588 set thread context of 4784	4588	winupdate.exe	139

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSecurityPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeTakeOwnershipPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeLoadDriverPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemProfilePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemtimePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeProfSingleProcessPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeIncBasePriorityPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeCreatePagefilePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeBackupPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeRestorePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeShutdownPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeDebugPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeSystemEnvironmentPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeChangeNotifyPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeRemoteShutdownPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeUndockPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeManageVolumePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeImpersonatePrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeCreateGlobalPrivilege	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 33	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 34	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 35	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: 36	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
Token: SeIncreaseQuotaPrivilege	4668	winupdate.exe
Token: SeSecurityPrivilege	4668	winupdate.exe
Token: SeTakeOwnershipPrivilege	4668	winupdate.exe
Token: SeLoadDriverPrivilege	4668	winupdate.exe
Token: SeSystemProfilePrivilege	4668	winupdate.exe
Token: SeSystemtimePrivilege	4668	winupdate.exe
Token: SeProfSingleProcessPrivilege	4668	winupdate.exe
Token: SeIncBasePriorityPrivilege	4668	winupdate.exe
Token: SeCreatePagefilePrivilege	4668	winupdate.exe
Token: SeBackupPrivilege	4668	winupdate.exe
Token: SeRestorePrivilege	4668	winupdate.exe
Token: SeShutdownPrivilege	4668	winupdate.exe
Token: SeDebugPrivilege	4668	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4668	winupdate.exe
Token: SeChangeNotifyPrivilege	4668	winupdate.exe
Token: SeRemoteShutdownPrivilege	4668	winupdate.exe
Token: SeUndockPrivilege	4668	winupdate.exe
Token: SeManageVolumePrivilege	4668	winupdate.exe
Token: SeImpersonatePrivilege	4668	winupdate.exe
Token: SeCreateGlobalPrivilege	4668	winupdate.exe
Token: 33	4668	winupdate.exe
Token: 34	4668	winupdate.exe
Token: 35	4668	winupdate.exe
Token: 36	4668	winupdate.exe
Token: SeIncreaseQuotaPrivilege	2148	winupdate.exe
Token: SeSecurityPrivilege	2148	winupdate.exe
Token: SeTakeOwnershipPrivilege	2148	winupdate.exe
Token: SeLoadDriverPrivilege	2148	winupdate.exe
Token: SeSystemProfilePrivilege	2148	winupdate.exe
Token: SeSystemtimePrivilege	2148	winupdate.exe
Token: SeProfSingleProcessPrivilege	2148	winupdate.exe
Token: SeIncBasePriorityPrivilege	2148	winupdate.exe
Token: SeCreatePagefilePrivilege	2148	winupdate.exe
Token: SeBackupPrivilege	2148	winupdate.exe
Token: SeRestorePrivilege	2148	winupdate.exe
Token: SeShutdownPrivilege	2148	winupdate.exe
Token: SeDebugPrivilege	2148	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2148	winupdate.exe
Token: SeChangeNotifyPrivilege	2148	winupdate.exe
Token: SeRemoteShutdownPrivilege	2148	winupdate.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
4776	winupdate.exe
500	winupdate.exe
4468	winupdate.exe
648	winupdate.exe
212	winupdate.exe
2272	winupdate.exe
2772	winupdate.exe
2208	winupdate.exe
1348	winupdate.exe
4240	winupdate.exe
1716	winupdate.exe
888	winupdate.exe
2320	winupdate.exe
4312	winupdate.exe
1204	winupdate.exe
1912	winupdate.exe
5096	winupdate.exe
2636	winupdate.exe
1348	winupdate.exe
2856	winupdate.exe
1464	winupdate.exe
4268	winupdate.exe
4588	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 4456 wrote to memory of 3940	4456	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	84
PID 3940 wrote to memory of 4776	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	85
PID 3940 wrote to memory of 4776	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	85
PID 3940 wrote to memory of 4776	3940	JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe	85
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4776 wrote to memory of 4668	4776	winupdate.exe	86
PID 4668 wrote to memory of 500	4668	winupdate.exe	91
PID 4668 wrote to memory of 500	4668	winupdate.exe	91
PID 4668 wrote to memory of 500	4668	winupdate.exe	91
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 500 wrote to memory of 2148	500	winupdate.exe	92
PID 2148 wrote to memory of 4468	2148	winupdate.exe	96
PID 2148 wrote to memory of 4468	2148	winupdate.exe	96
PID 2148 wrote to memory of 4468	2148	winupdate.exe	96
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97
PID 4468 wrote to memory of 460	4468	winupdate.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f5ee49de5c0c6c17509bf8877ea4c8d.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\winupdate\winupdate.exe
    "C:\Windows\System32\winupdate\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\winupdate\winupdate.exe
      "C:\Windows\SysWOW64\winupdate\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:500
      - C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4312
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\System32\winupdate\winupdate.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Windows\SysWOW64\winupdate\winupdate.exe
        
        "C:\Windows\SysWOW64\winupdate\winupdate.exe"
        48⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winupdate\winupdate.exe

Filesize
902KB

MD5
9f5ee49de5c0c6c17509bf8877ea4c8d

SHA1
84388180e26d0db6c084188d21254f83e9bfed37

SHA256
6400b35a445bb90a013645eab7ea6921d007520946f54eba0af1208a31d5db4a

SHA512
98ba3bd395883a30a1b87f8b12a67963c0737f9b25de7c784aa523392d7a97d7c10fe8ec7541e69ca5144ec11b30e0c66601386288910f193f5d69f79361c6f6

Download Submit
memory/212-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/212-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/460-105-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/460-107-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/460-110-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/500-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/500-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/648-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/648-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/888-209-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/888-215-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1204-252-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1204-246-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-291-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-299-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-178-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1348-172-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1464-318-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1464-324-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-203-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-197-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1912-255-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1912-264-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2148-99-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2148-93-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2148-95-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2208-166-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2208-160-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2320-222-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2320-228-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-282-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2636-288-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2772-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2772-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2856-306-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2856-312-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3064-119-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3064-121-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3064-117-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3236-132-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3236-131-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-3-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-9-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-6-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-8-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-69-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-4-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3940-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4240-190-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4240-181-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4268-328-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4268-336-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4312-240-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4312-231-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4456-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4456-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-97-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4476-182-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4476-179-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4588-346-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4588-341-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4604-156-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4604-155-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4604-153-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4668-88-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4668-79-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4668-81-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4668-82-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4776-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4776-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4780-144-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4780-143-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4780-141-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4840-165-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4840-167-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4840-168-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5096-276-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5096-270-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads