Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 05:08
Behavioral task
behavioral1
Sample
ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe
-
Size
817KB
-
MD5
ea08892b4db745c9fe47e488ff859e44
-
SHA1
36d0b4980e40f343c272232f21ce012162cb3da0
-
SHA256
62ba430c840b1ddbf9643a897f29c0af0dfda8f14878a0a825f8e49058ef2f6c
-
SHA512
6009341d82b0507170798d87ebd21f541a71914530f159a0052547d8210af4c1fc600f8ba94b8f55c28b8747f76ff04bbc0b359b290b6ca996dcb82dfe8db9fd
-
SSDEEP
12288:b9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKJfSnk:JAQ6Zx9cxTmOrucTIEFSpOGKfok
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe -
Modifies firewall policy service 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 23 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 23 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 47 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Executes dropped EXE 46 IoCs
pid Process 2748 RSCLIENT V2.0.EXE 2992 winlogon.exe 720 RSCLIENT V2.0.EXE 1492 winlogon.exe 1660 RSCLIENT V2.0.EXE 2028 winlogon.exe 1240 RSCLIENT V2.0.EXE 2684 winlogon.exe 836 RSCLIENT V2.0.EXE 2616 winlogon.exe 2396 RSCLIENT V2.0.EXE 572 winlogon.exe 848 RSCLIENT V2.0.EXE 308 winlogon.exe 2780 RSCLIENT V2.0.EXE 2896 winlogon.exe 1100 RSCLIENT V2.0.EXE 1064 winlogon.exe 2068 RSCLIENT V2.0.EXE 628 winlogon.exe 2360 RSCLIENT V2.0.EXE 1972 winlogon.exe 2472 RSCLIENT V2.0.EXE 2760 winlogon.exe 1936 RSCLIENT V2.0.EXE 320 winlogon.exe 2220 RSCLIENT V2.0.EXE 2488 winlogon.exe 3044 RSCLIENT V2.0.EXE 3048 winlogon.exe 2596 RSCLIENT V2.0.EXE 2648 winlogon.exe 1592 RSCLIENT V2.0.EXE 2760 winlogon.exe 2936 RSCLIENT V2.0.EXE 1776 winlogon.exe 236 RSCLIENT V2.0.EXE 2388 winlogon.exe 2836 RSCLIENT V2.0.EXE 1832 winlogon.exe 1816 RSCLIENT V2.0.EXE 876 winlogon.exe 2564 RSCLIENT V2.0.EXE 1656 winlogon.exe 1400 RSCLIENT V2.0.EXE 1824 winlogon.exe -
Loads dropped DLL 64 IoCs
pid Process 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 2992 winlogon.exe 2992 winlogon.exe 2992 winlogon.exe 2992 winlogon.exe 1492 winlogon.exe 1492 winlogon.exe 1492 winlogon.exe 1492 winlogon.exe 2028 winlogon.exe 2028 winlogon.exe 2028 winlogon.exe 2028 winlogon.exe 2684 winlogon.exe 2684 winlogon.exe 2684 winlogon.exe 2684 winlogon.exe 2616 winlogon.exe 2616 winlogon.exe 2616 winlogon.exe 2616 winlogon.exe 572 winlogon.exe 572 winlogon.exe 572 winlogon.exe 572 winlogon.exe 308 winlogon.exe 308 winlogon.exe 308 winlogon.exe 308 winlogon.exe 2896 winlogon.exe 2896 winlogon.exe 2896 winlogon.exe 2896 winlogon.exe 1064 winlogon.exe 1064 winlogon.exe 1064 winlogon.exe 1064 winlogon.exe 628 winlogon.exe 628 winlogon.exe 628 winlogon.exe 628 winlogon.exe 1972 winlogon.exe 1972 winlogon.exe 1972 winlogon.exe 1972 winlogon.exe 2760 winlogon.exe 2760 winlogon.exe 2760 winlogon.exe 2760 winlogon.exe 320 winlogon.exe 320 winlogon.exe 320 winlogon.exe 320 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 3048 winlogon.exe 3048 winlogon.exe 3048 winlogon.exe 3048 winlogon.exe -
Adds Run key to start application 2 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe -
Suspicious use of SetThreadContext 23 IoCs
description pid Process procid_target PID 1452 set thread context of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 2992 set thread context of 2296 2992 winlogon.exe 37 PID 1492 set thread context of 1544 1492 winlogon.exe 42 PID 2028 set thread context of 2520 2028 winlogon.exe 46 PID 2684 set thread context of 2888 2684 winlogon.exe 50 PID 2616 set thread context of 1796 2616 winlogon.exe 54 PID 572 set thread context of 2268 572 winlogon.exe 58 PID 308 set thread context of 2364 308 winlogon.exe 62 PID 2896 set thread context of 1936 2896 winlogon.exe 66 PID 1064 set thread context of 2932 1064 winlogon.exe 70 PID 628 set thread context of 2268 628 winlogon.exe 74 PID 1972 set thread context of 2364 1972 winlogon.exe 78 PID 2760 set thread context of 2896 2760 winlogon.exe 82 PID 320 set thread context of 1516 320 winlogon.exe 86 PID 2488 set thread context of 2292 2488 winlogon.exe 90 PID 3048 set thread context of 1504 3048 winlogon.exe 94 PID 2648 set thread context of 2988 2648 winlogon.exe 98 PID 2760 set thread context of 2920 2760 winlogon.exe 102 PID 1776 set thread context of 2292 1776 winlogon.exe 106 PID 2388 set thread context of 3048 2388 winlogon.exe 110 PID 1832 set thread context of 1912 1832 winlogon.exe 114 PID 876 set thread context of 1252 876 winlogon.exe 118 PID 1656 set thread context of 1644 1656 winlogon.exe 122 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 47 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2308 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSecurityPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemtimePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeBackupPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeRestorePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeShutdownPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeDebugPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeUndockPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeManageVolumePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeImpersonatePrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 33 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 34 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 35 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2308 explorer.exe Token: SeSecurityPrivilege 2308 explorer.exe Token: SeTakeOwnershipPrivilege 2308 explorer.exe Token: SeLoadDriverPrivilege 2308 explorer.exe Token: SeSystemProfilePrivilege 2308 explorer.exe Token: SeSystemtimePrivilege 2308 explorer.exe Token: SeProfSingleProcessPrivilege 2308 explorer.exe Token: SeIncBasePriorityPrivilege 2308 explorer.exe Token: SeCreatePagefilePrivilege 2308 explorer.exe Token: SeBackupPrivilege 2308 explorer.exe Token: SeRestorePrivilege 2308 explorer.exe Token: SeShutdownPrivilege 2308 explorer.exe Token: SeDebugPrivilege 2308 explorer.exe Token: SeSystemEnvironmentPrivilege 2308 explorer.exe Token: SeChangeNotifyPrivilege 2308 explorer.exe Token: SeRemoteShutdownPrivilege 2308 explorer.exe Token: SeUndockPrivilege 2308 explorer.exe Token: SeManageVolumePrivilege 2308 explorer.exe Token: SeImpersonatePrivilege 2308 explorer.exe Token: SeCreateGlobalPrivilege 2308 explorer.exe Token: 33 2308 explorer.exe Token: 34 2308 explorer.exe Token: 35 2308 explorer.exe Token: SeIncreaseQuotaPrivilege 2992 winlogon.exe Token: SeSecurityPrivilege 2992 winlogon.exe Token: SeTakeOwnershipPrivilege 2992 winlogon.exe Token: SeLoadDriverPrivilege 2992 winlogon.exe Token: SeSystemProfilePrivilege 2992 winlogon.exe Token: SeSystemtimePrivilege 2992 winlogon.exe Token: SeProfSingleProcessPrivilege 2992 winlogon.exe Token: SeIncBasePriorityPrivilege 2992 winlogon.exe Token: SeCreatePagefilePrivilege 2992 winlogon.exe Token: SeBackupPrivilege 2992 winlogon.exe Token: SeRestorePrivilege 2992 winlogon.exe Token: SeShutdownPrivilege 2992 winlogon.exe Token: SeDebugPrivilege 2992 winlogon.exe Token: SeSystemEnvironmentPrivilege 2992 winlogon.exe Token: SeChangeNotifyPrivilege 2992 winlogon.exe Token: SeRemoteShutdownPrivilege 2992 winlogon.exe Token: SeUndockPrivilege 2992 winlogon.exe Token: SeManageVolumePrivilege 2992 winlogon.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 2748 RSCLIENT V2.0.EXE 2308 explorer.exe 720 RSCLIENT V2.0.EXE 1660 RSCLIENT V2.0.EXE 1240 RSCLIENT V2.0.EXE 836 RSCLIENT V2.0.EXE 2396 RSCLIENT V2.0.EXE 848 RSCLIENT V2.0.EXE 2780 RSCLIENT V2.0.EXE 1100 RSCLIENT V2.0.EXE 2068 RSCLIENT V2.0.EXE 2360 RSCLIENT V2.0.EXE 2472 RSCLIENT V2.0.EXE 1936 RSCLIENT V2.0.EXE 2220 RSCLIENT V2.0.EXE 3044 RSCLIENT V2.0.EXE 2596 RSCLIENT V2.0.EXE 1592 RSCLIENT V2.0.EXE 2936 RSCLIENT V2.0.EXE 236 RSCLIENT V2.0.EXE 2836 RSCLIENT V2.0.EXE 1816 RSCLIENT V2.0.EXE 2564 RSCLIENT V2.0.EXE 1400 RSCLIENT V2.0.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 1932 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 30 PID 1452 wrote to memory of 2748 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 31 PID 1452 wrote to memory of 2748 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 31 PID 1452 wrote to memory of 2748 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 31 PID 1452 wrote to memory of 2748 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 31 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 1452 wrote to memory of 2308 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 2308 wrote to memory of 2344 2308 explorer.exe 33 PID 1452 wrote to memory of 2992 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 34 PID 1452 wrote to memory of 2992 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 34 PID 1452 wrote to memory of 2992 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 34 PID 1452 wrote to memory of 2992 1452 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 34 PID 2992 wrote to memory of 2840 2992 winlogon.exe 35 PID 2992 wrote to memory of 2840 2992 winlogon.exe 35 PID 2992 wrote to memory of 2840 2992 winlogon.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:720
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2296
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1492 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1660
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1544
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"4⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2028 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2520
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"5⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2684 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:836
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2888
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"6⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:2616 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2396
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"7⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1796
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"7⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:572 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"8⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2268
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"8⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:308 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:344
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"9⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2364
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"9⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:2896 -
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"10⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1936
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"10⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:1064 -
C:\Windows\SysWOW64\notepad.exenotepad11⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"11⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2932
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"11⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:628 -
C:\Windows\SysWOW64\notepad.exenotepad12⤵
- Adds Run key to start application
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"12⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2268
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"12⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1972 -
C:\Windows\SysWOW64\notepad.exenotepad13⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"13⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2364
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"13⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:2760 -
C:\Windows\SysWOW64\notepad.exenotepad14⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"14⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2896
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"14⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:320 -
C:\Windows\SysWOW64\notepad.exenotepad15⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"15⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1516
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"15⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2488 -
C:\Windows\SysWOW64\notepad.exenotepad16⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"16⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2292
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"16⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:3048 -
C:\Windows\SysWOW64\notepad.exenotepad17⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"17⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1504
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"17⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2648 -
C:\Windows\SysWOW64\notepad.exenotepad18⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"18⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:2988
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"18⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2760 -
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"19⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2920
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"19⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
PID:1776 -
C:\Windows\SysWOW64\notepad.exenotepad20⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:236
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"20⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2292
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"20⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2388 -
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"21⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Enumerates system info in registry
PID:3048
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"21⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:1832 -
C:\Windows\SysWOW64\notepad.exenotepad22⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"22⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1912
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"22⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:876 -
C:\Windows\SysWOW64\notepad.exenotepad23⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"23⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1252
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"23⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1656 -
C:\Windows\SysWOW64\notepad.exenotepad24⤵
- Adds Run key to start application
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"24⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1644
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"24⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1824 -
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817KB
MD5ea08892b4db745c9fe47e488ff859e44
SHA136d0b4980e40f343c272232f21ce012162cb3da0
SHA25662ba430c840b1ddbf9643a897f29c0af0dfda8f14878a0a825f8e49058ef2f6c
SHA5126009341d82b0507170798d87ebd21f541a71914530f159a0052547d8210af4c1fc600f8ba94b8f55c28b8747f76ff04bbc0b359b290b6ca996dcb82dfe8db9fd
-
Filesize
60KB
MD52a7cf13acb76bd371fc77250462deb7d
SHA11cec85761b0d62cf5da744adc2fb7c35a2934779
SHA256787c9933b171b34f77439c729bea9cf121c4d1336c5f037f55bb42115efd286d
SHA512161e315922983a9f729a972a1cb320f1762aff9d0708c68abaf559270ae409454af4496fd076c95ea219a3d9ca2794a0a934c6d4b539899617ff33f6638d8238