Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2025, 06:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe
-
Size
728KB
-
MD5
b972533e1d6e20b55a10bc2f11bd1c8d
-
SHA1
37145911c18b6f65e6879771c2caaf7772081378
-
SHA256
30c0b480c6ea96f1c4964f4b228b9f9e05bdb93f552a63d8d4c78412ae1a2700
-
SHA512
966ec64ea77d103a1d561bd0eb0ce20399f164c8d95364b6e6544a45498a2b3fb56150a33175c2dad52252e57f3fc69746ee649770e392a2bca705eb4d76d60e
-
SSDEEP
12288:tK2IV1diFZ08/H0jPB1BCv/o7F0lYWdsDdILCfqjZA+Hdpix94AiYJpIoFsZyGW:t0VTG5/He/BCnEeYlDdIL2qNA+biP4He
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
amoresperros.zapto.org:1604
Mutex
DC_MUTEX-Q3P2EXK
Attributes
-
InstallPath
Windupdt\winupdate.exe
-
gencode
lDDSRnGWjg.j
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
winupdater
rc4.plain
Extracted
Family
latentbot
C2
amoresperros.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe -
Modifies firewall policy service 3 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe -
Modifies security service 2 TTPs 17 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
Windows security bypass 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe -
Deletes itself 1 IoCs
pid Process 4852 notepad.exe -
Executes dropped EXE 34 IoCs
pid Process 5392 winupdate.exe 1600 winupdate.exe 644 winupdate.exe 4824 winupdate.exe 4812 winupdate.exe 3984 winupdate.exe 6092 winupdate.exe 5272 winupdate.exe 1440 winupdate.exe 4308 winupdate.exe 6052 winupdate.exe 4044 winupdate.exe 332 winupdate.exe 4408 winupdate.exe 2244 winupdate.exe 2464 winupdate.exe 3704 winupdate.exe 3584 winupdate.exe 960 winupdate.exe 5036 winupdate.exe 5308 winupdate.exe 5388 winupdate.exe 5296 winupdate.exe 4208 winupdate.exe 4832 winupdate.exe 5516 winupdate.exe 1588 winupdate.exe 4212 winupdate.exe 3448 winupdate.exe 4904 winupdate.exe 3384 winupdate.exe 3652 winupdate.exe 3492 winupdate.exe 3536 winupdate.exe -
Windows security modification 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 18 IoCs
description pid Process procid_target PID 5328 set thread context of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5392 set thread context of 644 5392 winupdate.exe 97 PID 1600 set thread context of 4824 1600 winupdate.exe 98 PID 4812 set thread context of 3984 4812 winupdate.exe 104 PID 6092 set thread context of 5272 6092 winupdate.exe 116 PID 1440 set thread context of 4308 1440 winupdate.exe 121 PID 6052 set thread context of 4044 6052 winupdate.exe 127 PID 332 set thread context of 4408 332 winupdate.exe 133 PID 2244 set thread context of 2464 2244 winupdate.exe 138 PID 3704 set thread context of 3584 3704 winupdate.exe 143 PID 960 set thread context of 5036 960 winupdate.exe 148 PID 5308 set thread context of 5388 5308 winupdate.exe 153 PID 5296 set thread context of 4208 5296 winupdate.exe 158 PID 4832 set thread context of 5516 4832 winupdate.exe 163 PID 1588 set thread context of 4212 1588 winupdate.exe 168 PID 3448 set thread context of 4904 3448 winupdate.exe 173 PID 3384 set thread context of 3652 3384 winupdate.exe 178 PID 3492 set thread context of 3536 3492 winupdate.exe 183 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe -
Enumerates system info in registry 2 TTPs 18 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 644 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeSecurityPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeTakeOwnershipPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeLoadDriverPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeSystemProfilePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeSystemtimePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeProfSingleProcessPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeIncBasePriorityPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeCreatePagefilePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeBackupPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeRestorePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeShutdownPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeDebugPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeSystemEnvironmentPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeChangeNotifyPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeRemoteShutdownPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeUndockPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeManageVolumePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeImpersonatePrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeCreateGlobalPrivilege 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: 33 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: 34 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: 35 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: 36 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe Token: SeIncreaseQuotaPrivilege 644 winupdate.exe Token: SeSecurityPrivilege 644 winupdate.exe Token: SeTakeOwnershipPrivilege 644 winupdate.exe Token: SeLoadDriverPrivilege 644 winupdate.exe Token: SeSystemProfilePrivilege 644 winupdate.exe Token: SeSystemtimePrivilege 644 winupdate.exe Token: SeProfSingleProcessPrivilege 644 winupdate.exe Token: SeIncBasePriorityPrivilege 644 winupdate.exe Token: SeCreatePagefilePrivilege 644 winupdate.exe Token: SeBackupPrivilege 644 winupdate.exe Token: SeRestorePrivilege 644 winupdate.exe Token: SeShutdownPrivilege 644 winupdate.exe Token: SeDebugPrivilege 644 winupdate.exe Token: SeSystemEnvironmentPrivilege 644 winupdate.exe Token: SeChangeNotifyPrivilege 644 winupdate.exe Token: SeRemoteShutdownPrivilege 644 winupdate.exe Token: SeUndockPrivilege 644 winupdate.exe Token: SeManageVolumePrivilege 644 winupdate.exe Token: SeImpersonatePrivilege 644 winupdate.exe Token: SeCreateGlobalPrivilege 644 winupdate.exe Token: 33 644 winupdate.exe Token: 34 644 winupdate.exe Token: 35 644 winupdate.exe Token: 36 644 winupdate.exe Token: SeIncreaseQuotaPrivilege 4824 winupdate.exe Token: SeSecurityPrivilege 4824 winupdate.exe Token: SeTakeOwnershipPrivilege 4824 winupdate.exe Token: SeLoadDriverPrivilege 4824 winupdate.exe Token: SeSystemProfilePrivilege 4824 winupdate.exe Token: SeSystemtimePrivilege 4824 winupdate.exe Token: SeProfSingleProcessPrivilege 4824 winupdate.exe Token: SeIncBasePriorityPrivilege 4824 winupdate.exe Token: SeCreatePagefilePrivilege 4824 winupdate.exe Token: SeBackupPrivilege 4824 winupdate.exe Token: SeRestorePrivilege 4824 winupdate.exe Token: SeShutdownPrivilege 4824 winupdate.exe Token: SeDebugPrivilege 4824 winupdate.exe Token: SeSystemEnvironmentPrivilege 4824 winupdate.exe Token: SeChangeNotifyPrivilege 4824 winupdate.exe Token: SeRemoteShutdownPrivilege 4824 winupdate.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 5392 winupdate.exe 1600 winupdate.exe 4812 winupdate.exe 6092 winupdate.exe 1440 winupdate.exe 6052 winupdate.exe 332 winupdate.exe 2244 winupdate.exe 3704 winupdate.exe 960 winupdate.exe 5308 winupdate.exe 5296 winupdate.exe 4832 winupdate.exe 1588 winupdate.exe 3448 winupdate.exe 3384 winupdate.exe 3492 winupdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 5328 wrote to memory of 2112 5328 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 87 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 232 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 90 PID 2112 wrote to memory of 5220 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 92 PID 2112 wrote to memory of 5220 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 92 PID 2112 wrote to memory of 5220 2112 JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe 92 PID 2428 wrote to memory of 5392 2428 cmd.exe 95 PID 2428 wrote to memory of 5392 2428 cmd.exe 95 PID 2428 wrote to memory of 5392 2428 cmd.exe 95 PID 452 wrote to memory of 1600 452 cmd.exe 96 PID 452 wrote to memory of 1600 452 cmd.exe 96 PID 452 wrote to memory of 1600 452 cmd.exe 96 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 5392 wrote to memory of 644 5392 winupdate.exe 97 PID 1600 wrote to memory of 4824 1600 winupdate.exe 98 PID 1600 wrote to memory of 4824 1600 winupdate.exe 98 PID 1600 wrote to memory of 4824 1600 winupdate.exe 98 PID 1600 wrote to memory of 4824 1600 winupdate.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:232
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:5220
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4812 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3984 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵PID:1352
-
-
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5392 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:4668
-
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe4⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:4788
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:3180
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6092 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5272 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5976
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:5784
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1440 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4308 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:4068
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:6136
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6052 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4044 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5860
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:3964
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:332 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4408 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5212
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:5240
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2464 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:3736
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:2656
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3584 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:1608
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:5188
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5036 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:1896
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:3184
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5308 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5388 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5248
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:2944
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5296 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4208 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:3512
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:2708
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5516 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5304
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:5220
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1588 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4212 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:2300
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:4116
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4904 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5840
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:2508
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3652 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5272
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windupdt\winupdate.exe1⤵PID:2316
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3536 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵PID:5880
-
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3342763580-2723508992-2885672917-1000\88603cb2913a7df3fbd16b5f958e6447_63e48d52-8c45-4cbc-90d9-6336485f78d0
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
728KB
MD5b972533e1d6e20b55a10bc2f11bd1c8d
SHA137145911c18b6f65e6879771c2caaf7772081378
SHA25630c0b480c6ea96f1c4964f4b228b9f9e05bdb93f552a63d8d4c78412ae1a2700
SHA512966ec64ea77d103a1d561bd0eb0ce20399f164c8d95364b6e6544a45498a2b3fb56150a33175c2dad52252e57f3fc69746ee649770e392a2bca705eb4d76d60e