darkcomet | c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

Analysis

max time kernel
148s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Size

912KB
MD5

54aff6329b0ce3a2d2f8cc426ecc17f1
SHA1

f411f930447ba9d441faf4f25d442d4f07920254
SHA256

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d
SHA512

be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185
SSDEEP

12288:7cUdGP0khPvPLkOHfYEJUaDE4ji6CAhamR+GzWPfQ/p6ML3nPOnihOmJAKzv88YW:7zALPvzrhE4jrCAhagEMLST0XzvuW

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windows\\process\\svchost.exe"	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe

Executes dropped EXE 10 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
4964	svchost.exe
4912	svchost.exe
2856	svchost.exe
4736	svchost.exe
1360	svchost.exe
3628	svchost.exe
3560	svchost.exe
4916	svchost.exe
4804	svchost.exe
4952	svchost.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Windows\\process\\svchost.exe"	svchost.exe

Drops file in System32 directory 30 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\svchost.exe	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\Windows\process\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\process\	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 40 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe

Modifies registry class 30 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exec451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\gl1880831163n.ryl\ = f389acaef212ce10075054d394e5a6e616370356ccbdd08f	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSecurityPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeTakeOwnershipPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeLoadDriverPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemProfilePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemtimePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeProfSingleProcessPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeIncBasePriorityPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeCreatePagefilePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeBackupPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeRestorePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeShutdownPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeDebugPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeSystemEnvironmentPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeChangeNotifyPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeRemoteShutdownPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeUndockPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeManageVolumePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeImpersonatePrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeCreateGlobalPrivilege	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 33	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 34	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 35	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: 36	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
Token: SeIncreaseQuotaPrivilege	4964	svchost.exe
Token: SeSecurityPrivilege	4964	svchost.exe
Token: SeTakeOwnershipPrivilege	4964	svchost.exe
Token: SeLoadDriverPrivilege	4964	svchost.exe
Token: SeSystemProfilePrivilege	4964	svchost.exe
Token: SeSystemtimePrivilege	4964	svchost.exe
Token: SeProfSingleProcessPrivilege	4964	svchost.exe
Token: SeIncBasePriorityPrivilege	4964	svchost.exe
Token: SeCreatePagefilePrivilege	4964	svchost.exe
Token: SeBackupPrivilege	4964	svchost.exe
Token: SeRestorePrivilege	4964	svchost.exe
Token: SeShutdownPrivilege	4964	svchost.exe
Token: SeDebugPrivilege	4964	svchost.exe
Token: SeSystemEnvironmentPrivilege	4964	svchost.exe
Token: SeChangeNotifyPrivilege	4964	svchost.exe
Token: SeRemoteShutdownPrivilege	4964	svchost.exe
Token: SeUndockPrivilege	4964	svchost.exe
Token: SeManageVolumePrivilege	4964	svchost.exe
Token: SeImpersonatePrivilege	4964	svchost.exe
Token: SeCreateGlobalPrivilege	4964	svchost.exe
Token: 33	4964	svchost.exe
Token: 34	4964	svchost.exe
Token: 35	4964	svchost.exe
Token: 36	4964	svchost.exe
Token: SeIncreaseQuotaPrivilege	4912	svchost.exe
Token: SeSecurityPrivilege	4912	svchost.exe
Token: SeTakeOwnershipPrivilege	4912	svchost.exe
Token: SeLoadDriverPrivilege	4912	svchost.exe
Token: SeSystemProfilePrivilege	4912	svchost.exe
Token: SeSystemtimePrivilege	4912	svchost.exe
Token: SeProfSingleProcessPrivilege	4912	svchost.exe
Token: SeIncBasePriorityPrivilege	4912	svchost.exe
Token: SeCreatePagefilePrivilege	4912	svchost.exe
Token: SeBackupPrivilege	4912	svchost.exe
Token: SeRestorePrivilege	4912	svchost.exe
Token: SeShutdownPrivilege	4912	svchost.exe
Token: SeDebugPrivilege	4912	svchost.exe
Token: SeSystemEnvironmentPrivilege	4912	svchost.exe
Token: SeChangeNotifyPrivilege	4912	svchost.exe
Token: SeRemoteShutdownPrivilege	4912	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4476 wrote to memory of 4964	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 4476 wrote to memory of 4964	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 4476 wrote to memory of 4964	4476	c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe	svchost.exe
PID 4964 wrote to memory of 4912	4964	svchost.exe	svchost.exe
PID 4964 wrote to memory of 4912	4964	svchost.exe	svchost.exe
PID 4964 wrote to memory of 4912	4964	svchost.exe	svchost.exe
PID 4912 wrote to memory of 2856	4912	svchost.exe	svchost.exe
PID 4912 wrote to memory of 2856	4912	svchost.exe	svchost.exe
PID 4912 wrote to memory of 2856	4912	svchost.exe	svchost.exe
PID 2856 wrote to memory of 4736	2856	svchost.exe	svchost.exe
PID 2856 wrote to memory of 4736	2856	svchost.exe	svchost.exe
PID 2856 wrote to memory of 4736	2856	svchost.exe	svchost.exe
PID 4736 wrote to memory of 1360	4736	svchost.exe	svchost.exe
PID 4736 wrote to memory of 1360	4736	svchost.exe	svchost.exe
PID 4736 wrote to memory of 1360	4736	svchost.exe	svchost.exe
PID 1360 wrote to memory of 3628	1360	svchost.exe	svchost.exe
PID 1360 wrote to memory of 3628	1360	svchost.exe	svchost.exe
PID 1360 wrote to memory of 3628	1360	svchost.exe	svchost.exe
PID 3628 wrote to memory of 3560	3628	svchost.exe	svchost.exe
PID 3628 wrote to memory of 3560	3628	svchost.exe	svchost.exe
PID 3628 wrote to memory of 3560	3628	svchost.exe	svchost.exe
PID 3560 wrote to memory of 4916	3560	svchost.exe	svchost.exe
PID 3560 wrote to memory of 4916	3560	svchost.exe	svchost.exe
PID 3560 wrote to memory of 4916	3560	svchost.exe	svchost.exe
PID 4916 wrote to memory of 4804	4916	svchost.exe	svchost.exe
PID 4916 wrote to memory of 4804	4916	svchost.exe	svchost.exe
PID 4916 wrote to memory of 4804	4916	svchost.exe	svchost.exe
PID 4804 wrote to memory of 4952	4804	svchost.exe	svchost.exe
PID 4804 wrote to memory of 4952	4804	svchost.exe	svchost.exe
PID 4804 wrote to memory of 4952	4804	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe
"C:\Users\Admin\AppData\Local\Temp\c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\Windows\process\svchost.exe
"C:\Windows\system32\Windows\process\svchost.exe"
11⤵
- Executes dropped EXE
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\53f99c8554a4762c5199ddb27231004e_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\549b9b645cadfe6bb4bc69cf363c354c_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\549b9b645cadfe6bb4bc69cf363c354c_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\549b9b645cadfe6bb4bc69cf363c354c_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\549b9b645cadfe6bb4bc69cf363c354c_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f97f9e17eafdd0105a4e11bafde04b40

SHA1
ba06a7abe986a61b71889b80a6f9b02b22d40667

SHA256
4783424121e6c2f870dc931b374d20c62c764eddc5769d2f536609adc1226abb

SHA512
778c4aab55f6f0fe44dbc9a97f53b59ec8ed2e35901f77afebaea57c738ad301412760709ab909b51335ddd7676cd8f8c1410c5751f2ef5cc74282bcd6c5f50e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\d71375b114e472f50fdecc6000e0f0a4_8329e3af-909b-464f-88cb-23d8b2c5eadf
Filesize
2KB

MD5
f582a3b901c7810826d7f22e0e505689

SHA1
da29c93c472b87ef2272adba5662e64905fe48fd

SHA256
3baae0486dabb86d11819309c1b6ab283179aeaf4f3a3d801ee162467f852a26

SHA512
9416d8f00b8518a348ef3be1b09f1f597b032f875939d043d66ca14dc67c5058ef7a738c5fd7dff9e54b8f39456b6424264169136f3c0aa3c08baad0afdde113

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
C:\Windows\SysWOW64\Windows\process\svchost.exe
Filesize
912KB

MD5
54aff6329b0ce3a2d2f8cc426ecc17f1

SHA1
f411f930447ba9d441faf4f25d442d4f07920254

SHA256
c451cad76da1a4a39ea124ffc922e32688f8e2abf17ebdae93ac72048a12348d

SHA512
be3ae08cd98b25e65f18086ea37741e5778bd0714e7b3cea520b3460e60036516c346ca694bf37a8960eab5dee40fdf318607c6025c14514b39d0f82e7ebb185

Download Submit
memory/1360-157-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1360-158-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/1360-155-0x0000000000000000-mapping.dmp

Download
memory/2856-147-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2856-150-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2856-148-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/2856-143-0x0000000000000000-mapping.dmp

Download
memory/3560-166-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3560-164-0x0000000000000000-mapping.dmp

Download
memory/3560-167-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3628-159-0x0000000000000000-mapping.dmp

Download
memory/3628-162-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/3628-163-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4476-132-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4476-133-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4476-134-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4736-154-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4736-153-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4736-149-0x0000000000000000-mapping.dmp

Download
memory/4804-178-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4804-174-0x0000000000000000-mapping.dmp

Download
memory/4804-181-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4804-177-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4912-145-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4912-142-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4912-139-0x0000000000000000-mapping.dmp

Download
memory/4916-173-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4916-172-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4916-171-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4916-168-0x0000000000000000-mapping.dmp

Download
memory/4952-179-0x0000000000000000-mapping.dmp

Download
memory/4952-183-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4952-184-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4964-138-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download
memory/4964-135-0x0000000000000000-mapping.dmp

Download
memory/4964-141-0x0000000000400000-0x00000000005A5000-memory.dmp

Filesize
1.6MB

Download