darkcomet | c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Size

912KB
MD5

54aff6329b0ce3a2d2f8cc426ecc17f1
SHA1

f411f930447ba9d441faf4f25d442d4f07920254
SHA256

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d
SHA512

be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185
SSDEEP

12288:7cUdGP0khPvPLkOHfYEJUaDE4ji6CAhamR+GzWPfQ/p6ML3nPOnihOmJAKzv88YW:7zALPvzrhE4jrCAhagEMLST0XzvuW

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 23 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe

Executes dropped EXE 23 IoCs

Processes:

pid	process
2036	svchost.exe
1968	svchost.exe
888	svchost.exe
816	svchost.exe
612	svchost.exe
1996	svchost.exe
1888	svchost.exe
1080	svchost.exe
1964	svchost.exe
1368	svchost.exe
1072	svchost.exe
1884	svchost.exe
1552	svchost.exe
1704	svchost.exe
1900	svchost.exe
2016	svchost.exe
1736	svchost.exe
1092	svchost.exe
604	svchost.exe
364	svchost.exe
1820	svchost.exe
2000	svchost.exe
1608	svchost.exe

Checks BIOS information in registry 2 TTPs 23 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Loads dropped DLL 46 IoCs

Processes:

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
2036	svchost.exe
2036	svchost.exe
1968	svchost.exe
1968	svchost.exe
888	svchost.exe
888	svchost.exe
816	svchost.exe
816	svchost.exe
612	svchost.exe
612	svchost.exe
1996	svchost.exe
1996	svchost.exe
1888	svchost.exe
1888	svchost.exe
1080	svchost.exe
1080	svchost.exe
1964	svchost.exe
1964	svchost.exe
1368	svchost.exe
1368	svchost.exe
1072	svchost.exe
1072	svchost.exe
1884	svchost.exe
1884	svchost.exe
1552	svchost.exe
1552	svchost.exe
1704	svchost.exe
1704	svchost.exe
1900	svchost.exe
1900	svchost.exe
2016	svchost.exe
2016	svchost.exe
1736	svchost.exe
1736	svchost.exe
1092	svchost.exe
1092	svchost.exe
604	svchost.exe
604	svchost.exe
364	svchost.exe
364	svchost.exe
1820	svchost.exe
1820	svchost.exe
2000	svchost.exe
2000	svchost.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Drops file in System32 directory 64 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 23 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe

Modifies registry class 46 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e61cb8244dccbdd08f	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSecurityPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeTakeOwnershipPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeLoadDriverPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemProfilePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemtimePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeProfSingleProcessPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeIncBasePriorityPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeCreatePagefilePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeBackupPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeRestorePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeShutdownPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeDebugPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemEnvironmentPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeChangeNotifyPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeRemoteShutdownPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeUndockPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeManageVolumePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeImpersonatePrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeCreateGlobalPrivilege	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 33	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 34	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 35	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeIncreaseQuotaPrivilege	2036	svchost.exe
Token: SeSecurityPrivilege	2036	svchost.exe
Token: SeTakeOwnershipPrivilege	2036	svchost.exe
Token: SeLoadDriverPrivilege	2036	svchost.exe
Token: SeSystemProfilePrivilege	2036	svchost.exe
Token: SeSystemtimePrivilege	2036	svchost.exe
Token: SeProfSingleProcessPrivilege	2036	svchost.exe
Token: SeIncBasePriorityPrivilege	2036	svchost.exe
Token: SeCreatePagefilePrivilege	2036	svchost.exe
Token: SeBackupPrivilege	2036	svchost.exe
Token: SeRestorePrivilege	2036	svchost.exe
Token: SeShutdownPrivilege	2036	svchost.exe
Token: SeDebugPrivilege	2036	svchost.exe
Token: SeSystemEnvironmentPrivilege	2036	svchost.exe
Token: SeChangeNotifyPrivilege	2036	svchost.exe
Token: SeRemoteShutdownPrivilege	2036	svchost.exe
Token: SeUndockPrivilege	2036	svchost.exe
Token: SeManageVolumePrivilege	2036	svchost.exe
Token: SeImpersonatePrivilege	2036	svchost.exe
Token: SeCreateGlobalPrivilege	2036	svchost.exe
Token: 33	2036	svchost.exe
Token: 34	2036	svchost.exe
Token: 35	2036	svchost.exe
Token: SeIncreaseQuotaPrivilege	1968	svchost.exe
Token: SeSecurityPrivilege	1968	svchost.exe
Token: SeTakeOwnershipPrivilege	1968	svchost.exe
Token: SeLoadDriverPrivilege	1968	svchost.exe
Token: SeSystemProfilePrivilege	1968	svchost.exe
Token: SeSystemtimePrivilege	1968	svchost.exe
Token: SeProfSingleProcessPrivilege	1968	svchost.exe
Token: SeIncBasePriorityPrivilege	1968	svchost.exe
Token: SeCreatePagefilePrivilege	1968	svchost.exe
Token: SeBackupPrivilege	1968	svchost.exe
Token: SeRestorePrivilege	1968	svchost.exe
Token: SeShutdownPrivilege	1968	svchost.exe
Token: SeDebugPrivilege	1968	svchost.exe
Token: SeSystemEnvironmentPrivilege	1968	svchost.exe
Token: SeChangeNotifyPrivilege	1968	svchost.exe
Token: SeRemoteShutdownPrivilege	1968	svchost.exe
Token: SeUndockPrivilege	1968	svchost.exe
Token: SeManageVolumePrivilege	1968	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1944 wrote to memory of 2036	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 1944 wrote to memory of 2036	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 1944 wrote to memory of 2036	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 1944 wrote to memory of 2036	1944	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 2036 wrote to memory of 1968	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 1968	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 1968	2036	svchost.exe	svchost.exe
PID 2036 wrote to memory of 1968	2036	svchost.exe	svchost.exe
PID 1968 wrote to memory of 888	1968	svchost.exe	svchost.exe
PID 1968 wrote to memory of 888	1968	svchost.exe	svchost.exe
PID 1968 wrote to memory of 888	1968	svchost.exe	svchost.exe
PID 1968 wrote to memory of 888	1968	svchost.exe	svchost.exe
PID 888 wrote to memory of 816	888	svchost.exe	svchost.exe
PID 888 wrote to memory of 816	888	svchost.exe	svchost.exe
PID 888 wrote to memory of 816	888	svchost.exe	svchost.exe
PID 888 wrote to memory of 816	888	svchost.exe	svchost.exe
PID 816 wrote to memory of 612	816	svchost.exe	svchost.exe
PID 816 wrote to memory of 612	816	svchost.exe	svchost.exe
PID 816 wrote to memory of 612	816	svchost.exe	svchost.exe
PID 816 wrote to memory of 612	816	svchost.exe	svchost.exe
PID 612 wrote to memory of 1996	612	svchost.exe	svchost.exe
PID 612 wrote to memory of 1996	612	svchost.exe	svchost.exe
PID 612 wrote to memory of 1996	612	svchost.exe	svchost.exe
PID 612 wrote to memory of 1996	612	svchost.exe	svchost.exe
PID 1996 wrote to memory of 1888	1996	svchost.exe	svchost.exe
PID 1996 wrote to memory of 1888	1996	svchost.exe	svchost.exe
PID 1996 wrote to memory of 1888	1996	svchost.exe	svchost.exe
PID 1996 wrote to memory of 1888	1996	svchost.exe	svchost.exe
PID 1888 wrote to memory of 1080	1888	svchost.exe	svchost.exe
PID 1888 wrote to memory of 1080	1888	svchost.exe	svchost.exe
PID 1888 wrote to memory of 1080	1888	svchost.exe	svchost.exe
PID 1888 wrote to memory of 1080	1888	svchost.exe	svchost.exe
PID 1080 wrote to memory of 1964	1080	svchost.exe	svchost.exe
PID 1080 wrote to memory of 1964	1080	svchost.exe	svchost.exe
PID 1080 wrote to memory of 1964	1080	svchost.exe	svchost.exe
PID 1080 wrote to memory of 1964	1080	svchost.exe	svchost.exe
PID 1964 wrote to memory of 1368	1964	svchost.exe	svchost.exe
PID 1964 wrote to memory of 1368	1964	svchost.exe	svchost.exe
PID 1964 wrote to memory of 1368	1964	svchost.exe	svchost.exe
PID 1964 wrote to memory of 1368	1964	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1072	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1072	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1072	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1072	1368	svchost.exe	svchost.exe
PID 1072 wrote to memory of 1884	1072	svchost.exe	svchost.exe
PID 1072 wrote to memory of 1884	1072	svchost.exe	svchost.exe
PID 1072 wrote to memory of 1884	1072	svchost.exe	svchost.exe
PID 1072 wrote to memory of 1884	1072	svchost.exe	svchost.exe
PID 1884 wrote to memory of 1552	1884	svchost.exe	svchost.exe
PID 1884 wrote to memory of 1552	1884	svchost.exe	svchost.exe
PID 1884 wrote to memory of 1552	1884	svchost.exe	svchost.exe
PID 1884 wrote to memory of 1552	1884	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1704	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1704	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1704	1552	svchost.exe	svchost.exe
PID 1552 wrote to memory of 1704	1552	svchost.exe	svchost.exe
PID 1704 wrote to memory of 1900	1704	svchost.exe	svchost.exe
PID 1704 wrote to memory of 1900	1704	svchost.exe	svchost.exe
PID 1704 wrote to memory of 1900	1704	svchost.exe	svchost.exe
PID 1704 wrote to memory of 1900	1704	svchost.exe	svchost.exe
PID 1900 wrote to memory of 2016	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 2016	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 2016	1900	svchost.exe	svchost.exe
PID 1900 wrote to memory of 2016	1900	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
"C:\Users\Admin\AppData\Local\Temp\c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
15⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1736

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
19⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1092

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:604

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
21⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:364

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1820

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
23⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2000

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
24⤵
- Executes dropped EXE
PID:1608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\549b9b645cadfe6bb4bc69cf363c354c_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\9a37938696da2a6a543a9989ea69a4d6_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\ee6ba271daaf63a0cd38d12747de6fe8_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\ee6ba271daaf63a0cd38d12747de6fe8_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3845472200-3839195424-595303356-1000\ee6ba271daaf63a0cd38d12747de6fe8_7725c12a-7257-458e-a47f-7029d9191548
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
memory/364-205-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/364-199-0x0000000000000000-mapping.dmp

Download
memory/364-202-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/604-201-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/604-198-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/604-196-0x0000000000000000-mapping.dmp

Download
memory/612-96-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/612-92-0x0000000000000000-mapping.dmp

Download
memory/612-101-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/816-84-0x0000000000000000-mapping.dmp

Download
memory/816-95-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/816-88-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/888-81-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/888-77-0x0000000000000000-mapping.dmp

Download
memory/888-85-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1072-141-0x0000000000000000-mapping.dmp

Download
memory/1072-145-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1072-151-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1080-116-0x0000000000000000-mapping.dmp

Download
memory/1080-127-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1080-120-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1092-193-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1092-195-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1092-190-0x0000000000000000-mapping.dmp

Download
memory/1368-137-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1368-138-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/1552-158-0x0000000000000000-mapping.dmp

Download
memory/1552-168-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1552-163-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1608-215-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1608-212-0x0000000000000000-mapping.dmp

Download
memory/1704-177-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1704-166-0x0000000000000000-mapping.dmp

Download
memory/1704-171-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1736-189-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1736-192-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1736-186-0x0000000000000000-mapping.dmp

Download
memory/1820-209-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1820-207-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1820-206-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1820-203-0x0000000000000000-mapping.dmp

Download
memory/1884-148-0x0000000000000000-mapping.dmp

Download
memory/1884-156-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1884-159-0x0000000005BA0000-0x0000000005D45000-memory.dmp

Filesize
1.6MB

Download
memory/1884-153-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1888-112-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1888-107-0x0000000000000000-mapping.dmp

Download
memory/1888-113-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1900-180-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1900-175-0x0000000000000000-mapping.dmp

Download
memory/1900-181-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1900-183-0x0000000005BD0000-0x0000000005D75000-memory.dmp

Filesize
1.6MB

Download
memory/1900-194-0x0000000005BD0000-0x0000000005D75000-memory.dmp

Filesize
1.6MB

Download
memory/1944-61-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1944-55-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1944-63-0x0000000005B80000-0x0000000005D25000-memory.dmp

Filesize
1.6MB

Download
memory/1944-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1964-129-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1964-124-0x0000000000000000-mapping.dmp

Download
memory/1964-135-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1968-68-0x0000000000000000-mapping.dmp

Download
memory/1968-73-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1968-72-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1996-136-0x0000000005A60000-0x0000000005C05000-memory.dmp

Filesize
1.6MB

Download
memory/1996-103-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1996-111-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1996-99-0x0000000000000000-mapping.dmp

Download
memory/2000-208-0x0000000000000000-mapping.dmp

Download
memory/2000-211-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2000-214-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2016-182-0x0000000000000000-mapping.dmp

Download
memory/2016-185-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2016-188-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2036-64-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2036-58-0x0000000000000000-mapping.dmp

Download
memory/2036-70-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads