cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Size

376KB
MD5

ed7106c2fe2aaa98b9c79c264f5061e5
SHA1

760e2e1e1f6527752443cd28e6b78da10a5a84fc
SHA256

cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd
SHA512

071ca7b0745d95d9ff6325a7939288a346b8dec66b5e606a65fb71e4b80eb712ca7e5a478ef95e4107d3ad91294fd3113302b0735d3c94f0b548406f5392ea9c
SSDEEP

3072:+sJlOGa8bJl3VmP5t5Y5t5o5t5P5t5PyJ4:+87jMP7+767p7

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe

Executes dropped EXE 64 IoCs

pid	Process
1292	Fun.exe
3648	SVIQ.EXE
1012	dc.exe
2340	Fun.exe
704	SVIQ.EXE
916	Fun.exe
3144	SVIQ.EXE
3920	Fun.exe
3464	SVIQ.EXE
1072	Fun.exe
1480	SVIQ.EXE
4372	Fun.exe
540	SVIQ.EXE
1176	Fun.exe
4128	SVIQ.EXE
2852	Fun.exe
4440	SVIQ.EXE
4588	Fun.exe
916	SVIQ.EXE
4116	Fun.exe
772	SVIQ.EXE
1488	Fun.exe
1988	SVIQ.EXE
392	Fun.exe
3896	SVIQ.EXE
4036	Fun.exe
220	SVIQ.EXE
4436	Fun.exe
3180	SVIQ.EXE
4440	Fun.exe
1816	SVIQ.EXE
3692	Fun.exe
4012	SVIQ.EXE
2480	Fun.exe
4836	SVIQ.EXE
4388	Fun.exe
4800	SVIQ.EXE
3308	Fun.exe
1508	SVIQ.EXE
3368	Fun.exe
5100	SVIQ.EXE
4064	Fun.exe
1080	SVIQ.EXE
1176	Fun.exe
2380	SVIQ.EXE
456	Fun.exe
868	SVIQ.EXE
2784	Fun.exe
3088	SVIQ.EXE
5104	Fun.exe
3512	SVIQ.EXE
4360	Fun.exe
4388	SVIQ.EXE
1072	Fun.exe
1480	SVIQ.EXE
4600	Fun.exe
2720	SVIQ.EXE
2640	Fun.exe
1940	SVIQ.EXE
1320	Fun.exe
3552	SVIQ.EXE
1100	Fun.exe
3208	SVIQ.EXE
3088	Fun.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\SVIQ.EXE	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVIQ.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
1292	Fun.exe
1292	Fun.exe
3648	SVIQ.EXE
3648	SVIQ.EXE
1012	dc.exe
1012	dc.exe
1292	Fun.exe
1292	Fun.exe
3648	SVIQ.EXE
3648	SVIQ.EXE
1012	dc.exe
1012	dc.exe
2340	Fun.exe
2340	Fun.exe
704	SVIQ.EXE
704	SVIQ.EXE
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
916	Fun.exe
916	Fun.exe
3144	SVIQ.EXE
3144	SVIQ.EXE
3648	SVIQ.EXE
3648	SVIQ.EXE
1012	dc.exe
1012	dc.exe
3920	Fun.exe
3920	Fun.exe
3464	SVIQ.EXE
3464	SVIQ.EXE
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
1072	Fun.exe
1072	Fun.exe
1480	SVIQ.EXE
1480	SVIQ.EXE
3648	SVIQ.EXE
3648	SVIQ.EXE
1012	dc.exe
1012	dc.exe
4372	Fun.exe
4372	Fun.exe
540	SVIQ.EXE
540	SVIQ.EXE
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
3648	SVIQ.EXE
3648	SVIQ.EXE
1176	Fun.exe
1176	Fun.exe
4128	SVIQ.EXE
4128	SVIQ.EXE
1176	Fun.exe
1176	Fun.exe
1012	dc.exe
1012	dc.exe
2852	Fun.exe
2852	Fun.exe
4440	SVIQ.EXE
4440	SVIQ.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
1292	Fun.exe
1292	Fun.exe
3648	SVIQ.EXE
3648	SVIQ.EXE
1012	dc.exe
1012	dc.exe
2340	Fun.exe
2340	Fun.exe
704	SVIQ.EXE
704	SVIQ.EXE
916	Fun.exe
916	Fun.exe
3144	SVIQ.EXE
3144	SVIQ.EXE
3920	Fun.exe
3920	Fun.exe
3464	SVIQ.EXE
3464	SVIQ.EXE
1072	Fun.exe
1072	Fun.exe
1480	SVIQ.EXE
1480	SVIQ.EXE
4372	Fun.exe
4372	Fun.exe
540	SVIQ.EXE
540	SVIQ.EXE
1176	Fun.exe
1176	Fun.exe
4128	SVIQ.EXE
4128	SVIQ.EXE
2852	Fun.exe
2852	Fun.exe
4440	SVIQ.EXE
4440	SVIQ.EXE
4588	Fun.exe
4588	Fun.exe
916	SVIQ.EXE
916	SVIQ.EXE
4116	Fun.exe
4116	Fun.exe
772	SVIQ.EXE
772	SVIQ.EXE
1488	Fun.exe
1488	Fun.exe
1988	SVIQ.EXE
1988	SVIQ.EXE
392	Fun.exe
392	Fun.exe
3896	SVIQ.EXE
3896	SVIQ.EXE
4036	Fun.exe
4036	Fun.exe
220	SVIQ.EXE
220	SVIQ.EXE
4436	Fun.exe
4436	Fun.exe
3180	SVIQ.EXE
3180	SVIQ.EXE
4440	Fun.exe
4440	Fun.exe
1816	SVIQ.EXE
1816	SVIQ.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 1292	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	89
PID 5012 wrote to memory of 1292	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	89
PID 5012 wrote to memory of 1292	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	89
PID 1292 wrote to memory of 3648	1292	Fun.exe	90
PID 1292 wrote to memory of 3648	1292	Fun.exe	90
PID 1292 wrote to memory of 3648	1292	Fun.exe	90
PID 5012 wrote to memory of 1012	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	91
PID 5012 wrote to memory of 1012	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	91
PID 5012 wrote to memory of 1012	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	91
PID 1012 wrote to memory of 2340	1012	dc.exe	95
PID 1012 wrote to memory of 2340	1012	dc.exe	95
PID 1012 wrote to memory of 2340	1012	dc.exe	95
PID 2340 wrote to memory of 704	2340	Fun.exe	96
PID 2340 wrote to memory of 704	2340	Fun.exe	96
PID 2340 wrote to memory of 704	2340	Fun.exe	96
PID 5012 wrote to memory of 916	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	99
PID 5012 wrote to memory of 916	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	99
PID 5012 wrote to memory of 916	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	99
PID 916 wrote to memory of 3144	916	Fun.exe	100
PID 916 wrote to memory of 3144	916	Fun.exe	100
PID 916 wrote to memory of 3144	916	Fun.exe	100
PID 1012 wrote to memory of 3920	1012	dc.exe	101
PID 1012 wrote to memory of 3920	1012	dc.exe	101
PID 1012 wrote to memory of 3920	1012	dc.exe	101
PID 3920 wrote to memory of 3464	3920	Fun.exe	102
PID 3920 wrote to memory of 3464	3920	Fun.exe	102
PID 3920 wrote to memory of 3464	3920	Fun.exe	102
PID 5012 wrote to memory of 1072	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	103
PID 5012 wrote to memory of 1072	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	103
PID 5012 wrote to memory of 1072	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	103
PID 1072 wrote to memory of 1480	1072	Fun.exe	104
PID 1072 wrote to memory of 1480	1072	Fun.exe	104
PID 1072 wrote to memory of 1480	1072	Fun.exe	104
PID 1012 wrote to memory of 4372	1012	dc.exe	106
PID 1012 wrote to memory of 4372	1012	dc.exe	106
PID 1012 wrote to memory of 4372	1012	dc.exe	106
PID 4372 wrote to memory of 540	4372	Fun.exe	107
PID 4372 wrote to memory of 540	4372	Fun.exe	107
PID 4372 wrote to memory of 540	4372	Fun.exe	107
PID 5012 wrote to memory of 1176	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	108
PID 5012 wrote to memory of 1176	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	108
PID 5012 wrote to memory of 1176	5012	ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe	108
PID 1176 wrote to memory of 4128	1176	Fun.exe	109
PID 1176 wrote to memory of 4128	1176	Fun.exe	109
PID 1176 wrote to memory of 4128	1176	Fun.exe	109
PID 1012 wrote to memory of 2852	1012	dc.exe	112
PID 1012 wrote to memory of 2852	1012	dc.exe	112
PID 1012 wrote to memory of 2852	1012	dc.exe	112
PID 2852 wrote to memory of 4440	2852	Fun.exe	113
PID 2852 wrote to memory of 4440	2852	Fun.exe	113
PID 2852 wrote to memory of 4440	2852	Fun.exe	113
PID 3648 wrote to memory of 4588	3648	SVIQ.EXE	115
PID 3648 wrote to memory of 4588	3648	SVIQ.EXE	115
PID 3648 wrote to memory of 4588	3648	SVIQ.EXE	115
PID 4588 wrote to memory of 916	4588	Fun.exe	116
PID 4588 wrote to memory of 916	4588	Fun.exe	116
PID 4588 wrote to memory of 916	4588	Fun.exe	116
PID 1012 wrote to memory of 4116	1012	dc.exe	117
PID 1012 wrote to memory of 4116	1012	dc.exe	117
PID 1012 wrote to memory of 4116	1012	dc.exe	117
PID 4116 wrote to memory of 772	4116	Fun.exe	118
PID 4116 wrote to memory of 772	4116	Fun.exe	118
PID 4116 wrote to memory of 772	4116	Fun.exe	118
PID 3648 wrote to memory of 1488	3648	SVIQ.EXE	119

C:\Users\Admin\AppData\Local\Temp\ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed7106c2fe2aaa98b9c79c264f5061e5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1488
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4036
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:220
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:4440
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Drops file in System32 directory
      PID:2480
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3308
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1508
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4064
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        
        PID:1080
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      PID:456
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        
        PID:868
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5104
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:1072
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      PID:2640
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1100
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:3512
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:412
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:4860
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:3456
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4844
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1804
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:5012
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:3088
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1572
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:1480
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2796
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:3668
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:3976
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1320
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      PID:1816
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1892
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:3468
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4820
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in System32 directory
      PID:4184
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:3936
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:748
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1176
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2784
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2876
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      PID:4352
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:244
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3196
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:3368
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:4744
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4828
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4756
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      PID:2064
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:3556
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:3308
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2020
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3996
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:3856
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:220
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:4440
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4628
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:872
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2104
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:2020
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      PID:3764
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2160
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:3180
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      PID:4628
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3556
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:872
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1688
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:3996
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1060
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in System32 directory
      PID:4416
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4944
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:1340
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1320
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:4428
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3292
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in Windows directory
      PID:4292
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      PID:4728
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:840
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Adds Run key to start application
      Drops file in System32 directory
      PID:4828
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4988
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      PID:5004
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4884
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      PID:1904
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in System32 directory
      PID:2016
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:4060
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:772
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1036
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in System32 directory
      PID:3108
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:2480
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Drops file in Windows directory
      PID:3644
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:368
  - - C:\Windows\system\Fun.exe
      C:\Windows\system\Fun.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Drops file in Windows directory
      PID:3244
    - - C:\Windows\SVIQ.EXE
        
        C:\Windows\SVIQ.EXE
        5⤵
        
        PID:1988
- C:\Windows\dc.exe
  C:\Windows\dc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:704
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3464
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:540
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4440
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:772
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:392
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3896
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:4436
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3180
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3692
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:4012
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:4388
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4800
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3368
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:5100
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1176
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:2380
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2784
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:3088
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4360
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:4388
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    PID:4600
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:2720
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1320
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      Executes dropped EXE
      PID:3552
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3088
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3236
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3248
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:1544
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:5100
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2136
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    PID:4036
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2852
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1892
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3508
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    PID:3512
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3432
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2172
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3200
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:4368
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4340
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:4628
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3564
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in System32 directory
    PID:412
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4964
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    PID:2284
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4276
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    PID:4064
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:1080
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1320
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3992
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3920
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:440
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1636
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3272
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4328
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4060
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1036
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3920
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:264
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1664
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2720
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Windows directory
    PID:3480
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4896
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2488
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    PID:1156
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2784
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1564
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4352
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:4276
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3964
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2640
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4968
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2488
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4756
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3424
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4028
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Windows directory
    PID:2148
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3436
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in Windows directory
    PID:4424
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:1904
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in System32 directory
    PID:4636
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4340
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    PID:4828
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:3464
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    PID:2480
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4836
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in Windows directory
    PID:4884
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:764
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:4524
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4276
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    PID:4368
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:1652
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3024
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4224
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1648
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:884
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4428
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4880
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    PID:1988
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4904
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Drops file in System32 directory
    PID:3940
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:628
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1052
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:4756
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1020
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      PID:2824
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4360
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
- - C:\Windows\system\Fun.exe
    C:\Windows\system\Fun.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:4372
  - - C:\Windows\SVIQ.EXE
      C:\Windows\SVIQ.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3144
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1480
- C:\Windows\system\Fun.exe
  C:\Windows\system\Fun.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SVIQ.EXE
    C:\Windows\SVIQ.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SVIQ.EXE

Filesize
376KB

MD5
ed7106c2fe2aaa98b9c79c264f5061e5

SHA1
760e2e1e1f6527752443cd28e6b78da10a5a84fc

SHA256
cb3c38b3b2899a486fb1ebe0f2aae837fd5f29d99d512cf2cad58d1d7a31a5bd

SHA512
071ca7b0745d95d9ff6325a7939288a346b8dec66b5e606a65fb71e4b80eb712ca7e5a478ef95e4107d3ad91294fd3113302b0735d3c94f0b548406f5392ea9c

Download Submit
C:\Windows\wininit.ini

Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
memory/220-335-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/392-319-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/412-676-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/456-505-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/540-210-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/704-110-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/704-114-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/772-284-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/868-504-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/916-139-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/916-267-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1012-672-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1072-187-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1072-573-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1080-470-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1100-641-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1176-233-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1176-488-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1292-90-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1320-912-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1320-624-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1480-845-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1480-186-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1480-572-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1488-302-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1508-437-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1544-693-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1572-811-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1804-779-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1816-369-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1940-606-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1988-301-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1988-710-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2136-727-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2172-862-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2340-115-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2380-487-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2480-404-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2640-607-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2720-589-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2784-522-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2852-761-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2852-250-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3088-812-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3088-658-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3088-521-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3144-138-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3180-352-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3200-861-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3208-640-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3236-657-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3248-694-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3368-454-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3432-828-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3456-745-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3464-162-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3508-795-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3512-677-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3512-829-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3512-538-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3552-623-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3564-929-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3648-659-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3668-879-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3692-387-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3896-318-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3920-163-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3976-913-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4012-386-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4036-336-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4036-762-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4064-471-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4116-285-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4128-232-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4340-895-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4360-556-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4368-896-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4372-211-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4388-555-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4388-421-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4436-353-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4440-249-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4440-370-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4500-878-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4588-268-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4600-590-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4800-420-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4836-403-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4844-744-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4860-711-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5012-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5012-778-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5012-266-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5100-728-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5100-453-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/5104-539-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download