darkcomet | a9e50afef81424a18bc6013efabd3710f0e74d32a2ea8bf031e27b7f59ff2d03

Processes:

alltamashige.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\msdcsc.exe"	alltamashige.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Drops file in Drivers directory 1 IoCs

Processes:

alltamashige.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts alltamashige.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1996 attrib.exe
2412 attrib.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	alltamashige.exe

pid	process
1996	attrib.exe
2412	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exealltamashige.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	alltamashige.exe

Executes dropped EXE 6 IoCs

Processes:

cmd.exealltamashige.exesvchost.exealltamashige.exesvchost.exemsdcsc.exe

pid process

2004 cmd.exe
3368 alltamashige.exe
4904 svchost.exe
4208 alltamashige.exe
4352 svchost.exe
3588 msdcsc.exe

pid	process
2004	cmd.exe
3368	alltamashige.exe
4904	svchost.exe
4208	alltamashige.exe
4352	svchost.exe
3588	msdcsc.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

msdcsc.exealltamashige.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Windows\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Windows\\msdcsc.exe"	alltamashige.exe

Drops file in Program Files directory 51 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

alltamashige.exealltamashige.exe

description	ioc	process
File created	C:\Windows\msdcsc.exe	alltamashige.exe
File opened for modification	C:\Windows\msdcsc.exe	alltamashige.exe
File opened for modification	C:\Windows\	alltamashige.exe
File created	C:\Windows\svchost.exe	alltamashige.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

3588 msdcsc.exe

pid	process
3588	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

alltamashige.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4208	alltamashige.exe
Token: SeSecurityPrivilege	4208	alltamashige.exe
Token: SeTakeOwnershipPrivilege	4208	alltamashige.exe
Token: SeLoadDriverPrivilege	4208	alltamashige.exe
Token: SeSystemProfilePrivilege	4208	alltamashige.exe
Token: SeSystemtimePrivilege	4208	alltamashige.exe
Token: SeProfSingleProcessPrivilege	4208	alltamashige.exe
Token: SeIncBasePriorityPrivilege	4208	alltamashige.exe
Token: SeCreatePagefilePrivilege	4208	alltamashige.exe
Token: SeBackupPrivilege	4208	alltamashige.exe
Token: SeRestorePrivilege	4208	alltamashige.exe
Token: SeShutdownPrivilege	4208	alltamashige.exe
Token: SeDebugPrivilege	4208	alltamashige.exe
Token: SeSystemEnvironmentPrivilege	4208	alltamashige.exe
Token: SeChangeNotifyPrivilege	4208	alltamashige.exe
Token: SeRemoteShutdownPrivilege	4208	alltamashige.exe
Token: SeUndockPrivilege	4208	alltamashige.exe
Token: SeManageVolumePrivilege	4208	alltamashige.exe
Token: SeImpersonatePrivilege	4208	alltamashige.exe
Token: SeCreateGlobalPrivilege	4208	alltamashige.exe
Token: 33	4208	alltamashige.exe
Token: 34	4208	alltamashige.exe
Token: 35	4208	alltamashige.exe
Token: 36	4208	alltamashige.exe
Token: SeIncreaseQuotaPrivilege	3588	msdcsc.exe
Token: SeSecurityPrivilege	3588	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3588	msdcsc.exe
Token: SeLoadDriverPrivilege	3588	msdcsc.exe
Token: SeSystemProfilePrivilege	3588	msdcsc.exe
Token: SeSystemtimePrivilege	3588	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3588	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3588	msdcsc.exe
Token: SeCreatePagefilePrivilege	3588	msdcsc.exe
Token: SeBackupPrivilege	3588	msdcsc.exe
Token: SeRestorePrivilege	3588	msdcsc.exe
Token: SeShutdownPrivilege	3588	msdcsc.exe
Token: SeDebugPrivilege	3588	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3588	msdcsc.exe
Token: SeChangeNotifyPrivilege	3588	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3588	msdcsc.exe
Token: SeUndockPrivilege	3588	msdcsc.exe
Token: SeManageVolumePrivilege	3588	msdcsc.exe
Token: SeImpersonatePrivilege	3588	msdcsc.exe
Token: SeCreateGlobalPrivilege	3588	msdcsc.exe
Token: 33	3588	msdcsc.exe
Token: 34	3588	msdcsc.exe
Token: 35	3588	msdcsc.exe
Token: 36	3588	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3588 msdcsc.exe

pid	process
3588	msdcsc.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exealltamashige.exesvchost.exealltamashige.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 5112 wrote to memory of 2004	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	cmd.exe
PID 5112 wrote to memory of 2004	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	cmd.exe
PID 5112 wrote to memory of 2004	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	cmd.exe
PID 5112 wrote to memory of 3368	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	alltamashige.exe
PID 5112 wrote to memory of 3368	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	alltamashige.exe
PID 5112 wrote to memory of 3368	5112	074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe	alltamashige.exe
PID 3368 wrote to memory of 4904	3368	alltamashige.exe	svchost.exe
PID 3368 wrote to memory of 4904	3368	alltamashige.exe	svchost.exe
PID 3368 wrote to memory of 4904	3368	alltamashige.exe	svchost.exe
PID 4904 wrote to memory of 4208	4904	svchost.exe	alltamashige.exe
PID 4904 wrote to memory of 4208	4904	svchost.exe	alltamashige.exe
PID 4904 wrote to memory of 4208	4904	svchost.exe	alltamashige.exe
PID 4208 wrote to memory of 1588	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 1588	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 1588	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 3424	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 3424	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 3424	4208	alltamashige.exe	cmd.exe
PID 4208 wrote to memory of 3588	4208	alltamashige.exe	msdcsc.exe
PID 4208 wrote to memory of 3588	4208	alltamashige.exe	msdcsc.exe
PID 4208 wrote to memory of 3588	4208	alltamashige.exe	msdcsc.exe
PID 1588 wrote to memory of 1996	1588	cmd.exe	attrib.exe
PID 1588 wrote to memory of 1996	1588	cmd.exe	attrib.exe
PID 1588 wrote to memory of 1996	1588	cmd.exe	attrib.exe
PID 3424 wrote to memory of 2412	3424	cmd.exe	attrib.exe
PID 3424 wrote to memory of 2412	3424	cmd.exe	attrib.exe
PID 3424 wrote to memory of 2412	3424	cmd.exe	attrib.exe
PID 3588 wrote to memory of 4092	3588	msdcsc.exe	iexplore.exe
PID 3588 wrote to memory of 4092	3588	msdcsc.exe	iexplore.exe
PID 3588 wrote to memory of 4092	3588	msdcsc.exe	iexplore.exe
PID 3588 wrote to memory of 4772	3588	msdcsc.exe	explorer.exe
PID 3588 wrote to memory of 4772	3588	msdcsc.exe	explorer.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe
PID 3588 wrote to memory of 1768	3588	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1996 attrib.exe
2412 attrib.exe

pid	process
1996	attrib.exe
2412	attrib.exe

C:\Users\Admin\AppData\Local\Temp\074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\074b37dbc85dcc235f8f6f33a1d56953_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\%temp%\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\%temp%\cmd.exe"
2⤵
- Executes dropped EXE
PID:2004

C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
"C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe
"C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe"
4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\%temp%\alltamashige.exe" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\alltamashige.exe" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\%temp%" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2412

C:\Windows\msdcsc.exe
"C:\Windows\msdcsc.exe"
5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:4092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
6⤵
PID:4772

C:\Windows\notepad.exe
notepad
6⤵
PID:1768

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

6

Impair Defenses

3

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery