darkcomet | b6dad4fb20fa3016a09a5fb5f8b81be15090ec4c4315ad1c57699bced67e5808

Analysis

max time kernel
146s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Size

336KB
MD5

ba1a32fd54153aab9179ec37f1967729
SHA1

32b716bd80641f6000eb1ee0f167021dd27699d9
SHA256

b6dad4fb20fa3016a09a5fb5f8b81be15090ec4c4315ad1c57699bced67e5808
SHA512

149fc586ea1e452cba3914503fcbc7e3ca0170425f58be087412fd8a87fbf4bbbe7858ab4f51073c33309e05a9f63aadf90c357fecb894daf9a14f99bdad84d0
SSDEEP

6144:3QhNn/UqgLbGZJ7nislMrZAckccHg5LCFukA1YnFug0ma+jmvUBE1F/di:3gqunin1ApLApCFp5nF4+je1lM

Score

10^/10

darkcomet guest1 discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1

cantaprova1.no-ip.biz:1604

Mutex

DC_MUTEX-ZDTZ2AL

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
k=s2P0je-Z=n
install
true
offline_keylogger
true
password
123456
persistence
true
reg_key
winupdater

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 23 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Checks BIOS information in registry 2 TTPs 23 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Executes dropped EXE 44 IoCs

pid	Process
4840	winupdate.exe
4956	winupdate.exe
2416	winupdate.exe
804	winupdate.exe
3316	winupdate.exe
4896	winupdate.exe
5916	winupdate.exe
5436	winupdate.exe
4860	winupdate.exe
4180	winupdate.exe
400	winupdate.exe
2092	winupdate.exe
780	winupdate.exe
5792	winupdate.exe
4732	winupdate.exe
4340	winupdate.exe
988	winupdate.exe
5844	winupdate.exe
2596	winupdate.exe
3492	winupdate.exe
5252	winupdate.exe
776	winupdate.exe
5992	winupdate.exe
2180	winupdate.exe
1296	winupdate.exe
1348	winupdate.exe
656	winupdate.exe
3936	winupdate.exe
5004	winupdate.exe
5660	winupdate.exe
4728	winupdate.exe
5836	winupdate.exe
5124	winupdate.exe
5196	winupdate.exe
2272	winupdate.exe
4452	winupdate.exe
4968	winupdate.exe
4840	winupdate.exe
5300	winupdate.exe
3324	winupdate.exe
5072	winupdate.exe
4616	winupdate.exe
5388	winupdate.exe
5024	winupdate.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Maps connected drives based on registry 3 TTPs 46 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winupdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 4840 set thread context of 4956	4840	winupdate.exe	84
PID 2416 set thread context of 804	2416	winupdate.exe	89
PID 3316 set thread context of 4896	3316	winupdate.exe	94
PID 5916 set thread context of 5436	5916	winupdate.exe	99
PID 4860 set thread context of 4180	4860	winupdate.exe	104
PID 400 set thread context of 2092	400	winupdate.exe	109
PID 780 set thread context of 5792	780	winupdate.exe	114
PID 4732 set thread context of 4340	4732	winupdate.exe	119
PID 988 set thread context of 5844	988	winupdate.exe	124
PID 2596 set thread context of 3492	2596	winupdate.exe	129
PID 5252 set thread context of 776	5252	winupdate.exe	134
PID 5992 set thread context of 2180	5992	winupdate.exe	139
PID 1296 set thread context of 1348	1296	winupdate.exe	144
PID 656 set thread context of 3936	656	winupdate.exe	149
PID 5004 set thread context of 5660	5004	winupdate.exe	154
PID 4728 set thread context of 5836	4728	winupdate.exe	159
PID 5124 set thread context of 5196	5124	winupdate.exe	164
PID 2272 set thread context of 4452	2272	winupdate.exe	169
PID 4968 set thread context of 4840	4968	winupdate.exe	174
PID 5300 set thread context of 3324	5300	winupdate.exe	179
PID 5072 set thread context of 4616	5072	winupdate.exe	184
PID 5388 set thread context of 5024	5388	winupdate.exe	189

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5848-2-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-3-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-4-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-5-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-6-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-40-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5848-69-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4956-75-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4956-76-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4956-77-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4956-79-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/804-84-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/804-85-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4896-91-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4896-92-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5436-98-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5436-99-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5792-119-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5792-120-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4340-126-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/4340-127-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5844-133-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5844-134-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/3492-140-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/3492-141-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/2180-155-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/1348-161-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/1348-162-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/3936-168-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/3936-169-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5660-175-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5660-176-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5836-182-0x0000000013140000-0x00000000131FD000-memory.dmp	upx
behavioral2/memory/5836-183-0x0000000013140000-0x00000000131FD000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe

Enumerates system info in registry 2 TTPs 23 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeSecurityPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeTakeOwnershipPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeLoadDriverPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeSystemProfilePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeSystemtimePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeProfSingleProcessPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeIncBasePriorityPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeCreatePagefilePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeBackupPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeRestorePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeShutdownPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeDebugPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeSystemEnvironmentPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeChangeNotifyPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeRemoteShutdownPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeUndockPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeManageVolumePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeImpersonatePrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeCreateGlobalPrivilege	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: 33	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: 34	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: 35	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: 36	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
Token: SeIncreaseQuotaPrivilege	4956	winupdate.exe
Token: SeSecurityPrivilege	4956	winupdate.exe
Token: SeTakeOwnershipPrivilege	4956	winupdate.exe
Token: SeLoadDriverPrivilege	4956	winupdate.exe
Token: SeSystemProfilePrivilege	4956	winupdate.exe
Token: SeSystemtimePrivilege	4956	winupdate.exe
Token: SeProfSingleProcessPrivilege	4956	winupdate.exe
Token: SeIncBasePriorityPrivilege	4956	winupdate.exe
Token: SeCreatePagefilePrivilege	4956	winupdate.exe
Token: SeBackupPrivilege	4956	winupdate.exe
Token: SeRestorePrivilege	4956	winupdate.exe
Token: SeShutdownPrivilege	4956	winupdate.exe
Token: SeDebugPrivilege	4956	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4956	winupdate.exe
Token: SeChangeNotifyPrivilege	4956	winupdate.exe
Token: SeRemoteShutdownPrivilege	4956	winupdate.exe
Token: SeUndockPrivilege	4956	winupdate.exe
Token: SeManageVolumePrivilege	4956	winupdate.exe
Token: SeImpersonatePrivilege	4956	winupdate.exe
Token: SeCreateGlobalPrivilege	4956	winupdate.exe
Token: 33	4956	winupdate.exe
Token: 34	4956	winupdate.exe
Token: 35	4956	winupdate.exe
Token: 36	4956	winupdate.exe
Token: SeIncreaseQuotaPrivilege	804	winupdate.exe
Token: SeSecurityPrivilege	804	winupdate.exe
Token: SeTakeOwnershipPrivilege	804	winupdate.exe
Token: SeLoadDriverPrivilege	804	winupdate.exe
Token: SeSystemProfilePrivilege	804	winupdate.exe
Token: SeSystemtimePrivilege	804	winupdate.exe
Token: SeProfSingleProcessPrivilege	804	winupdate.exe
Token: SeIncBasePriorityPrivilege	804	winupdate.exe
Token: SeCreatePagefilePrivilege	804	winupdate.exe
Token: SeBackupPrivilege	804	winupdate.exe
Token: SeRestorePrivilege	804	winupdate.exe
Token: SeShutdownPrivilege	804	winupdate.exe
Token: SeDebugPrivilege	804	winupdate.exe
Token: SeSystemEnvironmentPrivilege	804	winupdate.exe
Token: SeChangeNotifyPrivilege	804	winupdate.exe
Token: SeRemoteShutdownPrivilege	804	winupdate.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
4840	winupdate.exe
2416	winupdate.exe
3316	winupdate.exe
5916	winupdate.exe
4860	winupdate.exe
400	winupdate.exe
780	winupdate.exe
4732	winupdate.exe
988	winupdate.exe
2596	winupdate.exe
5252	winupdate.exe
5992	winupdate.exe
1296	winupdate.exe
656	winupdate.exe
5004	winupdate.exe
4728	winupdate.exe
5124	winupdate.exe
2272	winupdate.exe
4968	winupdate.exe
5300	winupdate.exe
5072	winupdate.exe
5388	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 1788 wrote to memory of 5848	1788	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	79
PID 5848 wrote to memory of 5380	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	82
PID 5848 wrote to memory of 5380	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	82
PID 5848 wrote to memory of 5380	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	82
PID 5848 wrote to memory of 4840	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	83
PID 5848 wrote to memory of 4840	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	83
PID 5848 wrote to memory of 4840	5848	JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe	83
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4840 wrote to memory of 4956	4840	winupdate.exe	84
PID 4956 wrote to memory of 4960	4956	winupdate.exe	87
PID 4956 wrote to memory of 4960	4956	winupdate.exe	87
PID 4956 wrote to memory of 4960	4956	winupdate.exe	87
PID 4956 wrote to memory of 2416	4956	winupdate.exe	88
PID 4956 wrote to memory of 2416	4956	winupdate.exe	88
PID 4956 wrote to memory of 2416	4956	winupdate.exe	88
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 2416 wrote to memory of 804	2416	winupdate.exe	89
PID 804 wrote to memory of 5544	804	winupdate.exe	92
PID 804 wrote to memory of 5544	804	winupdate.exe	92
PID 804 wrote to memory of 5544	804	winupdate.exe	92
PID 804 wrote to memory of 3316	804	winupdate.exe	93
PID 804 wrote to memory of 3316	804	winupdate.exe	93
PID 804 wrote to memory of 3316	804	winupdate.exe	93
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 3316 wrote to memory of 4896	3316	winupdate.exe	94
PID 4896 wrote to memory of 1596	4896	winupdate.exe	97
PID 4896 wrote to memory of 1596	4896	winupdate.exe	97
PID 4896 wrote to memory of 1596	4896	winupdate.exe	97
PID 4896 wrote to memory of 5916	4896	winupdate.exe	98
PID 4896 wrote to memory of 5916	4896	winupdate.exe	98
PID 4896 wrote to memory of 5916	4896	winupdate.exe	98
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99
PID 5916 wrote to memory of 5436	5916	winupdate.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba1a32fd54153aab9179ec37f1967729.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5848
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      C:\Windows\SysWOW64\Windupdt\winupdate.exe
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        7⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        9⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5916
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        13⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        15⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        17⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4732
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        19⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        21⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        23⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5252
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        25⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5992
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        27⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        29⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:656
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        31⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        33⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        33⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        35⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        35⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5124
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        37⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        37⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        39⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        41⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        41⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5300
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        43⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        43⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        45⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        45⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5388
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\Windupdt\winupdate.exe
1⤵
PID:3008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
336KB

MD5
ba1a32fd54153aab9179ec37f1967729

SHA1
32b716bd80641f6000eb1ee0f167021dd27699d9

SHA256
b6dad4fb20fa3016a09a5fb5f8b81be15090ec4c4315ad1c57699bced67e5808

SHA512
149fc586ea1e452cba3914503fcbc7e3ca0170425f58be087412fd8a87fbf4bbbe7858ab4f51073c33309e05a9f63aadf90c357fecb894daf9a14f99bdad84d0

Download Submit
memory/804-85-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/804-84-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/1348-162-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/1348-161-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2180-155-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/3492-140-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/3492-141-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/3936-168-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/3936-169-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4340-127-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4340-126-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4896-91-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4896-92-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4956-75-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4956-79-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4956-77-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/4956-76-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5436-98-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5436-99-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5660-175-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5660-176-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5792-119-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5792-120-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5836-183-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5836-182-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5844-134-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5844-133-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-69-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-5-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-4-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-6-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/5848-40-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-2-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/5848-3-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads