darkcomet | 4ea3a5789255febc90cfa4e41ae3917a2cd7dd5a7468fbda2b6489682352a931

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Size

816KB
MD5

85571302fa08d4bf11755f91d670b02f
SHA1

bc105d31930dc9485cfd609131d3f384255129bb
SHA256

4ea3a5789255febc90cfa4e41ae3917a2cd7dd5a7468fbda2b6489682352a931
SHA512

620b2f027749dd34a9d6688bcbcea9572684aa1ca5912df3a68443d0c803ffaa472db237b01986af6427bc5110375ea421c3be16431dff5ebf713fa16273f2ec
SSDEEP

12288:4pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXHqG:iwAcu99lPzvxP+Bsz2XjWTRMQckkIXH5

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 25 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe,C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe

Checks BIOS information in registry 2 TTPs 41 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 24 IoCs

pid	Process
3368	svchost.exe
4984	svchost.exe
3512	svchost.exe
4524	svchost.exe
4324	svchost.exe
2384	svchost.exe
2948	svchost.exe
5096	svchost.exe
1360	svchost.exe
3788	svchost.exe
2884	svchost.exe
4972	svchost.exe
3068	svchost.exe
2640	svchost.exe
2384	svchost.exe
2660	svchost.exe
1464	svchost.exe
3248	svchost.exe
1036	svchost.exe
620	svchost.exe
812	svchost.exe
2720	svchost.exe
4756	svchost.exe
4960	svchost.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\32bit\\svchost.exe"	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\32bit\svchost.exe	svchost.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 4392	3368	svchost.exe	96
PID 4984 set thread context of 3972	4984	svchost.exe	98
PID 3512 set thread context of 4752	3512	svchost.exe	100
PID 4324 set thread context of 3596	4324	svchost.exe	108
PID 2384 set thread context of 5092	2384	svchost.exe	110
PID 2948 set thread context of 2484	2948	svchost.exe	112
PID 5096 set thread context of 3508	5096	svchost.exe	114
PID 3788 set thread context of 4728	3788	svchost.exe	119
PID 2884 set thread context of 2228	2884	svchost.exe	121
PID 4972 set thread context of 3540	4972	svchost.exe	123
PID 2384 set thread context of 2332	2384	svchost.exe	133
PID 2660 set thread context of 4136	2660	svchost.exe	139
PID 1036 set thread context of 4324	1036	svchost.exe	145
PID 620 set thread context of 4236	620	svchost.exe	147
PID 812 set thread context of 3508	812	svchost.exe	149
PID 4756 set thread context of 716	4756	svchost.exe	156

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 41 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeBackupPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeRestorePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeShutdownPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeDebugPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeUndockPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: 33	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: 34	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: 35	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: 36	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3368	svchost.exe
Token: SeSecurityPrivilege	3368	svchost.exe
Token: SeTakeOwnershipPrivilege	3368	svchost.exe
Token: SeLoadDriverPrivilege	3368	svchost.exe
Token: SeSystemProfilePrivilege	3368	svchost.exe
Token: SeSystemtimePrivilege	3368	svchost.exe
Token: SeProfSingleProcessPrivilege	3368	svchost.exe
Token: SeIncBasePriorityPrivilege	3368	svchost.exe
Token: SeCreatePagefilePrivilege	3368	svchost.exe
Token: SeBackupPrivilege	3368	svchost.exe
Token: SeRestorePrivilege	3368	svchost.exe
Token: SeShutdownPrivilege	3368	svchost.exe
Token: SeDebugPrivilege	3368	svchost.exe
Token: SeSystemEnvironmentPrivilege	3368	svchost.exe
Token: SeChangeNotifyPrivilege	3368	svchost.exe
Token: SeRemoteShutdownPrivilege	3368	svchost.exe
Token: SeUndockPrivilege	3368	svchost.exe
Token: SeManageVolumePrivilege	3368	svchost.exe
Token: SeImpersonatePrivilege	3368	svchost.exe
Token: SeCreateGlobalPrivilege	3368	svchost.exe
Token: 33	3368	svchost.exe
Token: 34	3368	svchost.exe
Token: 35	3368	svchost.exe
Token: 36	3368	svchost.exe
Token: SeIncreaseQuotaPrivilege	4392	explorer.exe
Token: SeSecurityPrivilege	4392	explorer.exe
Token: SeTakeOwnershipPrivilege	4392	explorer.exe
Token: SeLoadDriverPrivilege	4392	explorer.exe
Token: SeSystemProfilePrivilege	4392	explorer.exe
Token: SeSystemtimePrivilege	4392	explorer.exe
Token: SeProfSingleProcessPrivilege	4392	explorer.exe
Token: SeIncBasePriorityPrivilege	4392	explorer.exe
Token: SeCreatePagefilePrivilege	4392	explorer.exe
Token: SeBackupPrivilege	4392	explorer.exe
Token: SeRestorePrivilege	4392	explorer.exe
Token: SeShutdownPrivilege	4392	explorer.exe
Token: SeDebugPrivilege	4392	explorer.exe
Token: SeSystemEnvironmentPrivilege	4392	explorer.exe
Token: SeChangeNotifyPrivilege	4392	explorer.exe
Token: SeRemoteShutdownPrivilege	4392	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3456	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	92
PID 2144 wrote to memory of 3456	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	92
PID 2144 wrote to memory of 3456	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	92
PID 2144 wrote to memory of 3368	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	93
PID 2144 wrote to memory of 3368	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	93
PID 2144 wrote to memory of 3368	2144	85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe	93
PID 3368 wrote to memory of 4392	3368	svchost.exe	96
PID 3368 wrote to memory of 4392	3368	svchost.exe	96
PID 3368 wrote to memory of 4392	3368	svchost.exe	96
PID 3368 wrote to memory of 4392	3368	svchost.exe	96
PID 3368 wrote to memory of 4392	3368	svchost.exe	96
PID 3368 wrote to memory of 4984	3368	svchost.exe	97
PID 3368 wrote to memory of 4984	3368	svchost.exe	97
PID 3368 wrote to memory of 4984	3368	svchost.exe	97
PID 4984 wrote to memory of 3972	4984	svchost.exe	98
PID 4984 wrote to memory of 3972	4984	svchost.exe	98
PID 4984 wrote to memory of 3972	4984	svchost.exe	98
PID 4984 wrote to memory of 3972	4984	svchost.exe	98
PID 4984 wrote to memory of 3972	4984	svchost.exe	98
PID 4984 wrote to memory of 3512	4984	svchost.exe	99
PID 4984 wrote to memory of 3512	4984	svchost.exe	99
PID 4984 wrote to memory of 3512	4984	svchost.exe	99
PID 3512 wrote to memory of 4752	3512	svchost.exe	100
PID 3512 wrote to memory of 4752	3512	svchost.exe	100
PID 3512 wrote to memory of 4752	3512	svchost.exe	100
PID 3512 wrote to memory of 4752	3512	svchost.exe	100
PID 3512 wrote to memory of 4752	3512	svchost.exe	100
PID 3512 wrote to memory of 4524	3512	svchost.exe	101
PID 3512 wrote to memory of 4524	3512	svchost.exe	101
PID 3512 wrote to memory of 4524	3512	svchost.exe	101
PID 4524 wrote to memory of 3928	4524	svchost.exe	104
PID 4524 wrote to memory of 3928	4524	svchost.exe	104
PID 4524 wrote to memory of 3928	4524	svchost.exe	104
PID 4524 wrote to memory of 4324	4524	svchost.exe	105
PID 4524 wrote to memory of 4324	4524	svchost.exe	105
PID 4524 wrote to memory of 4324	4524	svchost.exe	105
PID 4324 wrote to memory of 3596	4324	svchost.exe	108
PID 4324 wrote to memory of 3596	4324	svchost.exe	108
PID 4324 wrote to memory of 3596	4324	svchost.exe	108
PID 4324 wrote to memory of 3596	4324	svchost.exe	108
PID 4324 wrote to memory of 3596	4324	svchost.exe	108
PID 4324 wrote to memory of 2384	4324	svchost.exe	109
PID 4324 wrote to memory of 2384	4324	svchost.exe	109
PID 4324 wrote to memory of 2384	4324	svchost.exe	109
PID 2384 wrote to memory of 5092	2384	svchost.exe	110
PID 2384 wrote to memory of 5092	2384	svchost.exe	110
PID 2384 wrote to memory of 5092	2384	svchost.exe	110
PID 2384 wrote to memory of 5092	2384	svchost.exe	110
PID 2384 wrote to memory of 5092	2384	svchost.exe	110
PID 2384 wrote to memory of 2948	2384	svchost.exe	111
PID 2384 wrote to memory of 2948	2384	svchost.exe	111
PID 2384 wrote to memory of 2948	2384	svchost.exe	111
PID 2948 wrote to memory of 2484	2948	svchost.exe	112
PID 2948 wrote to memory of 2484	2948	svchost.exe	112
PID 2948 wrote to memory of 2484	2948	svchost.exe	112
PID 2948 wrote to memory of 2484	2948	svchost.exe	112
PID 2948 wrote to memory of 2484	2948	svchost.exe	112
PID 2948 wrote to memory of 5096	2948	svchost.exe	113
PID 2948 wrote to memory of 5096	2948	svchost.exe	113
PID 2948 wrote to memory of 5096	2948	svchost.exe	113
PID 5096 wrote to memory of 3508	5096	svchost.exe	114
PID 5096 wrote to memory of 3508	5096	svchost.exe	114
PID 5096 wrote to memory of 3508	5096	svchost.exe	114
PID 5096 wrote to memory of 3508	5096	svchost.exe	114

C:\Users\Admin\AppData\Local\Temp\85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85571302fa08d4bf11755f91d670b02f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:3456
- C:\Windows\SysWOW64\32bit\svchost.exe
  "C:\Windows\system32\32bit\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\SysWOW64\32bit\svchost.exe
    "C:\Windows\system32\32bit\svchost.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Checks BIOS information in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      PID:3972
  - - C:\Windows\SysWOW64\32bit\svchost.exe
      "C:\Windows\system32\32bit\svchost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4752
    - - C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        
        PID:3928
      - C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        7⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3596
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        8⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5092
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        9⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2484
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        10⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3508
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1360
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3788
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        12⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4728
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2884
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        13⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2228
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4972
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        14⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3540
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3068
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        15⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2640
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        16⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2384
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        17⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2332
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2660
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        18⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4136
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1464
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        19⤵
        
        PID:772
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3248
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        20⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1036
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        21⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4324
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:620
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        22⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4236
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:812
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        23⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3508
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2720
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        24⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4756
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        25⤵
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:716
        
        C:\Windows\SysWOW64\32bit\svchost.exe
        
        "C:\Windows\system32\32bit\svchost.exe"
        25⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\32bit\svchost.exe

Filesize
816KB

MD5
85571302fa08d4bf11755f91d670b02f

SHA1
bc105d31930dc9485cfd609131d3f384255129bb

SHA256
4ea3a5789255febc90cfa4e41ae3917a2cd7dd5a7468fbda2b6489682352a931

SHA512
620b2f027749dd34a9d6688bcbcea9572684aa1ca5912df3a68443d0c803ffaa472db237b01986af6427bc5110375ea421c3be16431dff5ebf713fa16273f2ec

Download Submit
memory/620-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/620-143-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/812-150-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1036-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1360-79-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1360-76-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1464-125-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2144-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2144-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2144-1-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2228-89-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2228-90-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2332-111-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2332-110-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2384-115-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2384-107-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2384-60-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2384-53-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2484-64-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2484-63-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2640-106-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2660-113-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2660-122-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2720-153-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2884-93-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2948-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3068-103-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3248-128-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3368-14-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3368-25-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3508-73-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3508-71-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3512-33-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3512-40-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3540-96-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3540-100-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3596-50-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3596-48-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3788-86-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3972-29-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3972-28-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4324-52-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4324-45-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-18-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-19-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-20-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-15-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4392-44-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4524-43-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4728-82-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4728-83-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4752-36-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4752-37-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4756-160-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4972-99-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4984-23-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4984-32-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5092-58-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5092-56-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5096-75-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5096-68-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads