ardamax | a74717f9d58b53c701d2a4646247ee51107e1ad4b066b7ff4c8ec415a234d85a

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
Size

1.3MB
MD5

b1d655ca4d6983bf47ba73acde4fa1f5
SHA1

20e777f69d69ba2ed01f7338c5800977d43701e8
SHA256

a74717f9d58b53c701d2a4646247ee51107e1ad4b066b7ff4c8ec415a234d85a
SHA512

409600228bdc55376db02834c95b482ccc6095e34975175c8f9bec1016149c1b59e3367d3653308d73d01f6380ef67ef39c139847f1f894422f462121d6ef313
SSDEEP

24576:6Y563ey8gZqj4ycxS3NqJojxt9TqfqOAaEwSDl7EOOkZWVlMZ3+ZGj9OZ:T/+qEycxy/xTTqfqOZEw8NSdZz

Score

10^/10

ardamax modiloader aspackv2 defense_evasion discovery evasion execution keylogger persistence stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
UndeadLolipop

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343e-76.dat	family_ardamax

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Maplestory Patcher.exe

ModiLoader Second Stage 6 IoCs

resource	yara_rule
behavioral2/memory/2260-230-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1768-267-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1768-264-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1768-288-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1768-312-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/1768-335-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\drivers\csrss.exe	csrss.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\csrss.exe	Prj.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023443-80.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Prj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Tascfa.exe

Executes dropped EXE 52 IoCs

pid	Process
1664	server.exe
1576	Prj.exe
2260	Tascfa.exe
4280	Install.exe
2540	fservice.exe
3164	services.exe
3340	IOYP.exe
1108	csrss.exe
3020	lsass.exe
1768	Maplestory Patcher.exe
4424	csrss.exe
4080	lsass.exe
3324	csrss.exe
3716	csrss.exe
640	lsass.exe
4832	csrss.exe
4824	csrss.exe
1272	lsass.exe
2252	csrss.exe
3548	csrss.exe
3192	lsass.exe
3724	csrss.exe
4424	csrss.exe
3960	lsass.exe
1552	csrss.exe
2196	csrss.exe
552	lsass.exe
3288	csrss.exe
3800	csrss.exe
448	lsass.exe
3144	csrss.exe
288	csrss.exe
3324	lsass.exe
2888	csrss.exe
1272	csrss.exe
3984	lsass.exe
1068	csrss.exe
3316	csrss.exe
208	lsass.exe
2384	csrss.exe
4732	csrss.exe
4576	lsass.exe
5092	csrss.exe
1812	csrss.exe
4140	lsass.exe
3984	csrss.exe
4560	csrss.exe
4064	lsass.exe
208	csrss.exe
4048	csrss.exe
3288	lsass.exe
4832	csrss.exe

Loads dropped DLL 64 IoCs

pid	Process
4280	Install.exe
4832	Regsvr32.exe
4888	Regsvr32.exe
3164	services.exe
3164	services.exe
3164	services.exe
2540	fservice.exe
4888	Regsvr32.exe
3340	IOYP.exe
1664	server.exe
3340	IOYP.exe
3340	IOYP.exe
3164	services.exe
3164	services.exe
1224	Regsvr32.exe
1224	Regsvr32.exe
3340	IOYP.exe
1224	Regsvr32.exe
3340	IOYP.exe
1224	Regsvr32.exe
1224	Regsvr32.exe
1224	Regsvr32.exe
1664	server.exe
1664	server.exe
1664	server.exe
1664	server.exe
3584	Regsvr32.exe
3584	Regsvr32.exe
3584	Regsvr32.exe
3584	Regsvr32.exe
3584	Regsvr32.exe
1576	Prj.exe
1576	Prj.exe
1576	Prj.exe
3164	services.exe
3164	services.exe
1108	csrss.exe
1108	csrss.exe
1108	csrss.exe
1108	csrss.exe
1108	csrss.exe
1108	csrss.exe
1108	csrss.exe
3020	lsass.exe
3020	lsass.exe
3020	lsass.exe
3020	lsass.exe
3020	lsass.exe
3020	lsass.exe
3020	lsass.exe
1576	Prj.exe
1576	Prj.exe
2260	Tascfa.exe
2260	Tascfa.exe
2260	Tascfa.exe
2260	Tascfa.exe
2260	Tascfa.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023430-9.dat	upx
behavioral2/files/0x0007000000023434-16.dat	upx
behavioral2/memory/2540-60-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/3164-71-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/2260-32-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/files/0x0007000000023435-31.dat	upx
behavioral2/memory/1664-23-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1576-29-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/2540-111-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1664-129-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1576-218-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral2/memory/1768-231-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/2260-230-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3164-249-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/3164-251-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1768-267-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/1768-264-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3164-275-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1768-288-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3164-298-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1768-312-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/3164-322-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1768-335-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{sys_service}10583561410824647914112781775529266789219461736380715444522207927436259789203587792513652905145768602733014826725721384408001875574482458542738610281367981740165163694 = "system key"	Prj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IOYP Agent = "C:\\Windows\\SysWOW64\\28463\\IOYP.exe"	IOYP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\System32\\drivers\\csrss.exe"	Prj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\Maplestory Patcher.exe"	Maplestory Patcher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\System32\\drivers\\csrss.exe"	lsass.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tascfa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Maplestory Patcher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Maplestory Patcher.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\IOYP.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	server.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\28463\IOYP.009	IOYP.exe
File opened for modification	C:\WINDOWS\SysWOW64\MCI32.OCX	Prj.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSINET.OCX	Prj.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\28463\IOYP.006	Install.exe
File created	C:\Windows\SysWOW64\28463\IOYP.007	Install.exe
File created	C:\Windows\SysWOW64\fservice.exe	server.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\WINDOWS\SysWOW64\DriverI.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\28463\IOYP.009	IOYP.exe
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	Prj.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\WINDOWS\SysWOW64\pskill.exe	Prj.exe
File opened for modification	C:\WINDOWS\SysWOW64\config\lsass.exe	Prj.exe
File opened for modification	C:\WINDOWS\SysWOW64\pdh.dll	Prj.exe
File created	C:\Windows\SysWOW64\28463\IOYP.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\28463	IOYP.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Unlocker\Unlocker.exe	Prj.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\fer.bat	Prj.exe
File created	C:\Windows\Maplestory Patcher.exe	Tascfa.exe
File opened for modification	C:\Windows\Maplestory Patcher.exe	Tascfa.exe
File created	C:\Windows\cmsetac.dll	Maplestory Patcher.exe
File opened for modification	C:\Windows\system\sservice.exe	server.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\ntdtcstp.dll	Maplestory Patcher.exe
File created	C:\Windows\system\sservice.exe	server.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4008	sc.exe
208	sc.exe
3860	sc.exe
1224	sc.exe
4652	sc.exe
1908	sc.exe
3700	sc.exe
908	sc.exe
3356	sc.exe
3800	sc.exe
2864	sc.exe
116	sc.exe
2260	sc.exe
2504	sc.exe
2456	sc.exe
3256	sc.exe
2528	sc.exe
828	sc.exe
2456	sc.exe
5116	sc.exe
3356	sc.exe
1680	sc.exe
4072	sc.exe
4648	sc.exe
2352	sc.exe
4684	sc.exe
4128	sc.exe
4648	sc.exe
4524	sc.exe
1600	sc.exe
2880	sc.exe
824	sc.exe
1156	sc.exe
1376	sc.exe
3464	sc.exe
4528	sc.exe
2676	sc.exe
1504	sc.exe
1680	sc.exe
1288	sc.exe
8	sc.exe
1084	sc.exe
4184	sc.exe
1676	sc.exe
1700	sc.exe
4484	sc.exe
4240	sc.exe
4220	sc.exe
3132	sc.exe
1376	sc.exe
3768	sc.exe
2352	sc.exe
5088	sc.exe
960	sc.exe
3140	sc.exe
3416	sc.exe
2920	sc.exe
4672	sc.exe
1152	sc.exe
1792	sc.exe
408	sc.exe
2104	sc.exe
1060	sc.exe
736	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\ToolboxBitmap32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1A8AF27-1257-101B-8FB0-0020AF039CA3}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\WINDOWS\\SysWow64\\MSINET.OCX"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\MiscStatus\1\ = "131473"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A8AF28-1257-101B-8FB0-0020AF039CA3}\1.1\ = "Microsoft Multimedia Control 6.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\WINDOWS\\SysWow64\\MSINET.OCX"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\WINDOWS\\SysWow64\\MSWINSCK.OCX, 1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\WINDOWS\\SysWow64\\MSWINSCK.OCX"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A8AF28-1257-101B-8FB0-0020AF039CA3}\1.1\FLAGS	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{C1A8AF28-1257-101B-8FB0-0020AF039CA3}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1A8AF27-1257-101B-8FB0-0020AF039CA3}\TypeLib\ = "{C1A8AF28-1257-101B-8FB0-0020AF039CA3}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A8AF28-1257-101B-8FB0-0020AF039CA3}\1.1\0\win32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7ABC220-DF71-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MCI.MMControl\CLSID\ = "{C1A8AF25-1257-101B-8FB0-0020AF039CA3}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\WINDOWS\\SysWow64\\MSWINSCK.OCX"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}\InprocServer32\ = "C:\\WINDOWS\\SysWow64\\MCI32.OCX"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Prj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MCI.MMControl\ = "Microsoft Multimedia Control, version 6.0"	Regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A8AF28-1257-101B-8FB0-0020AF039CA3}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\WINDOWS\\SysWow64\\MSINET.OCX"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MCI.MMControl\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C1A8AF28-1257-101B-8FB0-0020AF039CA3}\1.1\HELPDIR	Regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2780	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe
3164	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	csrss.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1768	Maplestory Patcher.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	Tascfa.exe
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe
Token: 33	3340	IOYP.exe
Token: SeIncBasePriorityPrivilege	3340	IOYP.exe
Token: SeDebugPrivilege	1768	Maplestory Patcher.exe
Token: SeDebugPrivilege	1768	Maplestory Patcher.exe
Token: SeDebugPrivilege	4424	csrss.exe
Token: SeDebugPrivilege	4080	lsass.exe
Token: SeDebugPrivilege	3324	csrss.exe
Token: SeDebugPrivilege	3716	csrss.exe
Token: SeDebugPrivilege	640	lsass.exe
Token: SeDebugPrivilege	4832	csrss.exe
Token: SeDebugPrivilege	4824	csrss.exe
Token: SeDebugPrivilege	1272	lsass.exe
Token: SeDebugPrivilege	2252	csrss.exe
Token: SeDebugPrivilege	3548	csrss.exe
Token: SeDebugPrivilege	3192	lsass.exe
Token: SeDebugPrivilege	3724	csrss.exe
Token: SeDebugPrivilege	4424	csrss.exe
Token: SeDebugPrivilege	3960	lsass.exe
Token: SeDebugPrivilege	1552	csrss.exe
Token: SeDebugPrivilege	2196	csrss.exe
Token: SeDebugPrivilege	552	lsass.exe
Token: SeDebugPrivilege	3288	csrss.exe
Token: SeDebugPrivilege	3800	csrss.exe
Token: SeDebugPrivilege	448	lsass.exe
Token: SeDebugPrivilege	3144	csrss.exe
Token: SeDebugPrivilege	288	csrss.exe
Token: SeDebugPrivilege	3324	lsass.exe
Token: SeDebugPrivilege	2888	csrss.exe
Token: SeDebugPrivilege	1272	csrss.exe
Token: SeDebugPrivilege	3984	lsass.exe
Token: SeDebugPrivilege	1068	csrss.exe
Token: SeDebugPrivilege	3316	csrss.exe
Token: SeDebugPrivilege	208	lsass.exe
Token: SeDebugPrivilege	2384	csrss.exe
Token: SeDebugPrivilege	4732	csrss.exe
Token: SeDebugPrivilege	4576	lsass.exe
Token: SeDebugPrivilege	5092	csrss.exe
Token: SeDebugPrivilege	1812	csrss.exe
Token: SeDebugPrivilege	4140	lsass.exe
Token: SeDebugPrivilege	3984	csrss.exe
Token: SeDebugPrivilege	4560	csrss.exe
Token: SeDebugPrivilege	4064	lsass.exe
Token: SeDebugPrivilege	208	csrss.exe
Token: SeDebugPrivilege	4048	csrss.exe
Token: SeDebugPrivilege	3288	lsass.exe
Token: SeDebugPrivilege	4832	csrss.exe

Suspicious use of SetWindowsHookEx 55 IoCs

pid	Process
3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
1576	Prj.exe
3164	services.exe
3164	services.exe
3340	IOYP.exe
3340	IOYP.exe
3340	IOYP.exe
3340	IOYP.exe
3340	IOYP.exe
1108	csrss.exe
3020	lsass.exe
1768	Maplestory Patcher.exe
1768	Maplestory Patcher.exe
4424	csrss.exe
4080	lsass.exe
3324	csrss.exe
3716	csrss.exe
640	lsass.exe
4832	csrss.exe
4824	csrss.exe
1272	lsass.exe
2252	csrss.exe
3548	csrss.exe
3192	lsass.exe
3724	csrss.exe
4424	csrss.exe
3960	lsass.exe
1552	csrss.exe
2196	csrss.exe
552	lsass.exe
3288	csrss.exe
3800	csrss.exe
448	lsass.exe
3144	csrss.exe
288	csrss.exe
3324	lsass.exe
2888	csrss.exe
1272	csrss.exe
3984	lsass.exe
1068	csrss.exe
3316	csrss.exe
208	lsass.exe
2384	csrss.exe
4732	csrss.exe
4576	lsass.exe
5092	csrss.exe
1812	csrss.exe
4140	lsass.exe
3984	csrss.exe
4560	csrss.exe
4064	lsass.exe
208	csrss.exe
4048	csrss.exe
3288	lsass.exe
4832	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1664	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	85
PID 3596 wrote to memory of 1664	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	85
PID 3596 wrote to memory of 1664	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	85
PID 3596 wrote to memory of 1576	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	86
PID 3596 wrote to memory of 1576	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	86
PID 3596 wrote to memory of 1576	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	86
PID 3596 wrote to memory of 2260	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	87
PID 3596 wrote to memory of 2260	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	87
PID 3596 wrote to memory of 2260	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	87
PID 3596 wrote to memory of 4280	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	88
PID 3596 wrote to memory of 4280	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	88
PID 3596 wrote to memory of 4280	3596	b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe	88
PID 1576 wrote to memory of 1264	1576	Prj.exe	89
PID 1576 wrote to memory of 1264	1576	Prj.exe	89
PID 1576 wrote to memory of 1264	1576	Prj.exe	89
PID 1576 wrote to memory of 116	1576	Prj.exe	90
PID 1576 wrote to memory of 116	1576	Prj.exe	90
PID 1576 wrote to memory of 116	1576	Prj.exe	90
PID 1576 wrote to memory of 2252	1576	Prj.exe	91
PID 1576 wrote to memory of 2252	1576	Prj.exe	91
PID 1576 wrote to memory of 2252	1576	Prj.exe	91
PID 1576 wrote to memory of 2672	1576	Prj.exe	92
PID 1576 wrote to memory of 2672	1576	Prj.exe	92
PID 1576 wrote to memory of 2672	1576	Prj.exe	92
PID 1576 wrote to memory of 824	1576	Prj.exe	93
PID 1576 wrote to memory of 824	1576	Prj.exe	93
PID 1576 wrote to memory of 824	1576	Prj.exe	93
PID 1576 wrote to memory of 5088	1576	Prj.exe	94
PID 1576 wrote to memory of 5088	1576	Prj.exe	94
PID 1576 wrote to memory of 5088	1576	Prj.exe	94
PID 1576 wrote to memory of 208	1576	Prj.exe	95
PID 1576 wrote to memory of 208	1576	Prj.exe	95
PID 1576 wrote to memory of 208	1576	Prj.exe	95
PID 1576 wrote to memory of 1792	1576	Prj.exe	96
PID 1576 wrote to memory of 1792	1576	Prj.exe	96
PID 1576 wrote to memory of 1792	1576	Prj.exe	96
PID 1576 wrote to memory of 828	1576	Prj.exe	97
PID 1576 wrote to memory of 828	1576	Prj.exe	97
PID 1576 wrote to memory of 828	1576	Prj.exe	97
PID 1576 wrote to memory of 1680	1576	Prj.exe	98
PID 1576 wrote to memory of 1680	1576	Prj.exe	98
PID 1576 wrote to memory of 1680	1576	Prj.exe	98
PID 1576 wrote to memory of 216	1576	Prj.exe	99
PID 1576 wrote to memory of 216	1576	Prj.exe	99
PID 1576 wrote to memory of 216	1576	Prj.exe	99
PID 1576 wrote to memory of 4424	1576	Prj.exe	100
PID 1576 wrote to memory of 4424	1576	Prj.exe	100
PID 1576 wrote to memory of 4424	1576	Prj.exe	100
PID 1576 wrote to memory of 2512	1576	Prj.exe	101
PID 1576 wrote to memory of 2512	1576	Prj.exe	101
PID 1576 wrote to memory of 2512	1576	Prj.exe	101
PID 1576 wrote to memory of 4240	1576	Prj.exe	102
PID 1576 wrote to memory of 4240	1576	Prj.exe	102
PID 1576 wrote to memory of 4240	1576	Prj.exe	102
PID 1576 wrote to memory of 3192	1576	Prj.exe	103
PID 1576 wrote to memory of 3192	1576	Prj.exe	103
PID 1576 wrote to memory of 3192	1576	Prj.exe	103
PID 1576 wrote to memory of 2880	1576	Prj.exe	104
PID 1576 wrote to memory of 2880	1576	Prj.exe	104
PID 1576 wrote to memory of 2880	1576	Prj.exe	104
PID 1576 wrote to memory of 4832	1576	Prj.exe	105
PID 1576 wrote to memory of 4832	1576	Prj.exe	105
PID 1576 wrote to memory of 4832	1576	Prj.exe	105
PID 1664 wrote to memory of 2540	1664	server.exe	118

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Maplestory Patcher.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2540
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3164
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        
        PID:5116
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        6⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        
        PID:4588
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        
        PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\server.exe.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3904
- C:\Users\Admin\AppData\Local\Temp\Prj.exe
  "C:\Users\Admin\AppData\Local\Temp\Prj.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc /f
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\sc.exe
    sc delete wscsvc /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:116
- - C:\Windows\SysWOW64\sc.exe
    sc stop SharedAccess /f
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\sc.exe
    sc delete SharedAccess /f
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv /f
    3⤵
    PID:824
- - C:\Windows\SysWOW64\sc.exe
    sc delete wuauserv /f
    3⤵
    - Launches sc.exe
    PID:5088
- - C:\Windows\SysWOW64\sc.exe
    sc stop srservice /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\sc.exe
    sc delete srservice /f
    3⤵
    - Launches sc.exe
    PID:1792
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:828
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\SysWOW64\sc.exe
    sc stop wscsvc /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:216
- - C:\Windows\SysWOW64\sc.exe
    sc delete wscsvc /f
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\sc.exe
    sc stop MpsSvc /f
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\sc.exe
    sc delete MpsSvc /f
    3⤵
    - Launches sc.exe
    PID:4240
- - C:\Windows\SysWOW64\sc.exe
    sc stop wuauserv /f
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\sc.exe
    sc delete wuauserv /f
    3⤵
    - Launches sc.exe
    PID:2880
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\WINDOWS\System32\MSWINSCK.OCX /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4832
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\WINDOWS\System32\MCI32.OCX /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4888
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\WINDOWS\System32\MSINET.OCX /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1224
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\WINDOWS\System32\pdh.dll /s
    3⤵
    - Loads dropped DLL
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c DEL "C:\Program Files (x86)\Unlocker\Unlocker.exe" /F /Q
    3⤵
    PID:4368
- - C:\WINDOWS\SysWOW64\drivers\csrss.exe
    "C:\WINDOWS\system32\drivers\csrss.exe"
    3⤵
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1108
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc /f
      4⤵
      Launches sc.exe
      PID:2864
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wscsvc /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
  - - C:\Windows\SysWOW64\sc.exe
      sc stop SharedAccess /f
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\sc.exe
      sc delete SharedAccess /f
      4⤵
      Launches sc.exe
      PID:4128
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv /f
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\sc.exe
      sc delete wuauserv /f
      4⤵
      Launches sc.exe
      PID:4184
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:3020
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4424
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:1664
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4428
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:3876
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:1104
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:3016
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3324
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:824
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:2352
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:4180
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:2320
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3800
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3716
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3228
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4072
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:4220
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:960
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4840
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4832
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3768
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:3160
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:2120
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:1156
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:3736
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4824
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:4768
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4212
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:3204
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:1676
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:300
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2252
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:116
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:2864
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:956
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:1176
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:3128
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3548
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:5116
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4044
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:300
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3132
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1376
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:2260
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3724
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:1288
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:1780
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:1812
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:4072
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4376
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:1224
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4424
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:1916
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:1772
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:3592
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4176
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4456
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1552
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:4652
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:860
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:3404
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2196
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:4828
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:4008
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:2252
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:1084
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4644
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:2384
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3288
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3692
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:2504
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:8
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4408
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3800
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:5092
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:3356
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:4652
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:960
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:800
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3144
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:1084
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4672
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:3768
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:1908
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3140
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4644
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:288
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4432
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3700
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2888
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:372
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:3132
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1376
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:408
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:2328
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:4648
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:1680
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:208
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4116
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1068
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:2456
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4072
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:3256
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4684
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3316
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4212
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:3464
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:372
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4224
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2384
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:4744
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:4648
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:3528
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:2528
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:2104
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:4528
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4732
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:1228
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:908
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:3204
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:1060
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:2244
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:452
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5092
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3316
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:3800
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:736
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:3356
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:640
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1812
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:4524
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:3416
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3984
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3528
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:3140
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:3860
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:1032
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:4588
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4560
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:1480
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:4736
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1700
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:452
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:2536
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:1416
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:208
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        
        PID:2276
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:460
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4484
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4048
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        
        PID:3216
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:2172
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        Launches sc.exe
        
        PID:2352
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2456
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:4672
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        Launches sc.exe
        
        PID:1152
    - - C:\WINDOWS\SysWOW64\drivers\csrss.exe
        
        C:\WINDOWS\system32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4832
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wscsvc /f
        6⤵
        Launches sc.exe
        
        PID:1504
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wscsvc /f
        6⤵
        
        PID:2112
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop SharedAccess /f
        6⤵
        
        PID:284
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete SharedAccess /f
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4684
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv /f
        6⤵
        
        PID:4412
      - C:\Windows\SysWOW64\sc.exe
        
        sc delete wuauserv /f
        6⤵
        
        PID:3704
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4080
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:640
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1272
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3192
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3960
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:448
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3324
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3984
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:208
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4576
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4140
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4064
  - - C:\WINDOWS\SysWOW64\config\lsass.exe
      "C:\WINDOWS\system32\config\lsass.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\fer.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2780
- C:\Users\Admin\AppData\Local\Temp\Tascfa.exe
  "C:\Users\Admin\AppData\Local\Temp\Tascfa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- - C:\Windows\Maplestory Patcher.exe
    "C:\Windows\Maplestory Patcher.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Tascfa.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1768
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4280
- - C:\Windows\SysWOW64\28463\IOYP.exe
    "C:\Windows\system32\28463\IOYP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8472.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
56ba014771d22d1ced6289881d8c0a6a

SHA1
d2f8e6bc53b4fc2b1397d25991cbba79f257ce53

SHA256
16d1d2a91be0d6f9e48b23fe8e869ab8aff5e62e264c08a61ee7d44406c308fd

SHA512
bb6ca89ab936797f44d3be9b9d41ced96b974218a8b6b8f08f32a40cb8acf73e5b099c6e2d2c3f4a264bd557dd7b3bfac4110854b2f04a9d0d032084f436870c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prj.exe

Filesize
404KB

MD5
9584666536b271c558d4eac22a29d753

SHA1
40fb665b17418e8110d45eb1de8bf54faaeff04a

SHA256
4cb0ef6a76ed438000d71cebe13126884ca4bb6437729fe4a0e0154784f72f48

SHA512
bb25036339d9644d8043e41108172d0d245ed0a82579292ef2e2aecf30e2b4d584eee42beeeb4ad7ee1d77dcbfd7abe14024dc07a778c6005389e106a232dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tascfa.exe

Filesize
110KB

MD5
b676e9de01775c4c4f98300423b703b4

SHA1
8ada5a0858559f29d504ed079d6b3318bd72fec8

SHA256
194ae53a6e435f143815209e84ab606bd49ae2665f50e26309e0193c9a69a995

SHA512
5e766495fb2a1c97f9914883cb25657916727066a4edf5912d5ccedc3bc2854eede7249eb57680d40e902d440e0e5edd5ce394ee43e2f1151787227e07372119

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
342KB

MD5
8004860b5dbc616a3654a6861e7b53cd

SHA1
7ab67a2debdad7c6edf934bcc782bdb7c681c2fd

SHA256
7e5d580fe7ecf673df39e417f4bfe607f25fd05a5fbb6197dfef83adf14fb3b0

SHA512
c697a58fd4c0561ad399d86f4cb51e612539c77e525434ae3bf7d6344fa567bd0c614f95a8442c9f7ceb394c2f64403915bc91a0bd2745104248b8c21479c3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe.bat

Filesize
129B

MD5
4f73a47eadc64c971ad4a3e09cceef9b

SHA1
7e782f6c004bfeb885ac5e05968ff8725a7a53bb

SHA256
b6f7c895d22726f59e43964ef4140ed8ee4f5b298dbafcdca2a01a40f7bf3c6c

SHA512
6332bffc816601e37217ad3111bf6658e8602857d92c97599cef1605c8ccb3c6e1fac7867be835f9fd26122a7d1ec34296ecfe9ca3a57cd47117036131c3f4d1

Download Submit
C:\WINDOWS\SysWOW64\MCI32.OCX

Filesize
193KB

MD5
62b0194f801f2ae74b8b70900da50901

SHA1
a3f5ee54175d3af80c3be7a056986882b090a5e5

SHA256
07bf28692ac79fd7e7de7cff2291ea945bb5a60d427ae2fd7a19dde738b67438

SHA512
95b8755de564832a42f1ce8c4c1ee576bddcecc13d6d556fbf4911001cee086f749839a76d18b4507c96c79adfccf4cd0c2500cc38b9f24d3fd2f2e8dda0f23e

Download Submit
C:\WINDOWS\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\IOYP.001

Filesize
414B

MD5
bcc4f4bab0fd2b8907a398f327545ad0

SHA1
6424f42631586d6dee15d882c423871c310fee95

SHA256
0a9e2db75daf44fd06e3be04e946b36ca2f80d37836f599c99db89b1bdf3f5dd

SHA512
c34ea171a62109636a37abefe0de3dcee0d6e8dcac3ecd5f20fa812f29c58c2c9d80710726ebbe428d0f8f21abc20ef0022dc6e5825f9eb0796e93d6182bc4e3

Download Submit
C:\Windows\SysWOW64\28463\IOYP.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\IOYP.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\IOYP.009

Filesize
334KB

MD5
14e2958493c279a41e9b5afb70a875a2

SHA1
be9222ea42d4f1437a0d5d2dde89201d099b94d2

SHA256
876445d9a7589ad0aad63276d5c65491f961d6cfe908ced556efa893fe1ee27f

SHA512
199ea15ad49fd637dc86a62366d763c615b05ea91519cc27471876a025eba0e715f7aaa7cff8bd77528a9f4af85551fb1e1bbf3f6b74ed2733618f6debcd3a12

Download Submit
C:\Windows\SysWOW64\28463\IOYP.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
292KB

MD5
d7ed4e6d335fb474530ede701fb7243d

SHA1
685aaa986352a84b226675bbb3e69edbf1731f3c

SHA256
38c8576808eb9e7aa02f086b15dca16344013eab399c85ae392a4da4baf4e9bd

SHA512
5005c4d82d452ac54b073034c28e3b8828006baf157bc195a399d84812bc0aefbef07bc14edd3f33e57a864f7556133c188326a848c384fa7fde35a0cc0bc40e

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/640-280-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1108-262-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1272-305-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1576-218-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1576-29-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1664-23-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-129-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-33-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1768-264-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-312-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-267-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-238-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/1768-231-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-265-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/1768-288-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1768-266-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/1768-335-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2252-310-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/2260-32-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2260-230-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2540-60-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2540-111-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-275-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-298-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-71-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-322-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-87-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3164-249-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3164-251-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3192-329-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/3324-260-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3324-261-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/3548-320-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/3716-273-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/3724-334-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/4080-256-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/4080-253-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/4424-243-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/4424-246-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4424-247-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/4424-344-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/4824-296-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/4832-285-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download