Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 05:08
Behavioral task
behavioral1
Sample
ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe
-
Size
817KB
-
MD5
ea08892b4db745c9fe47e488ff859e44
-
SHA1
36d0b4980e40f343c272232f21ce012162cb3da0
-
SHA256
62ba430c840b1ddbf9643a897f29c0af0dfda8f14878a0a825f8e49058ef2f6c
-
SHA512
6009341d82b0507170798d87ebd21f541a71914530f159a0052547d8210af4c1fc600f8ba94b8f55c28b8747f76ff04bbc0b359b290b6ca996dcb82dfe8db9fd
-
SSDEEP
12288:b9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKJfSnk:JAQ6Zx9cxTmOrucTIEFSpOGKfok
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe,C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe -
Modifies firewall policy service 3 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
Modifies security service 2 TTPs 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Disables RegEdit via registry modification 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 48 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 24 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 47 IoCs
pid Process 3412 RSCLIENT V2.0.EXE 1676 winlogon.exe 184 RSCLIENT V2.0.EXE 2904 winlogon.exe 4492 RSCLIENT V2.0.EXE 2964 winlogon.exe 4548 RSCLIENT V2.0.EXE 4636 winlogon.exe 1364 RSCLIENT V2.0.EXE 4692 winlogon.exe 4012 RSCLIENT V2.0.EXE 2020 winlogon.exe 3788 RSCLIENT V2.0.EXE 4744 winlogon.exe 700 RSCLIENT V2.0.EXE 4064 winlogon.exe 4988 RSCLIENT V2.0.EXE 3844 winlogon.exe 1868 RSCLIENT V2.0.EXE 2964 winlogon.exe 1952 RSCLIENT V2.0.EXE 224 winlogon.exe 1480 RSCLIENT V2.0.EXE 3712 winlogon.exe 4752 RSCLIENT V2.0.EXE 2508 winlogon.exe 4948 RSCLIENT V2.0.EXE 960 winlogon.exe 1036 RSCLIENT V2.0.EXE 3844 winlogon.exe 4656 RSCLIENT V2.0.EXE 4976 winlogon.exe 552 RSCLIENT V2.0.EXE 3652 winlogon.exe 4696 RSCLIENT V2.0.EXE 3668 winlogon.exe 3244 RSCLIENT V2.0.EXE 116 winlogon.exe 3424 RSCLIENT V2.0.EXE 3248 winlogon.exe 3324 RSCLIENT V2.0.EXE 1572 winlogon.exe 3652 RSCLIENT V2.0.EXE 2768 winlogon.exe 4412 RSCLIENT V2.0.EXE 316 winlogon.exe 4120 RSCLIENT V2.0.EXE -
Adds Run key to start application 2 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\Wlnsxp\\winlogon.exe" notepad.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File opened for modification C:\Windows\SysWOW64\Wlnsxp\ winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\Wlnsxp\winlogon.exe notepad.exe -
Suspicious use of SetThreadContext 24 IoCs
description pid Process procid_target PID 4556 set thread context of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 1676 set thread context of 3268 1676 winlogon.exe 94 PID 2904 set thread context of 3404 2904 winlogon.exe 100 PID 2964 set thread context of 2360 2964 winlogon.exe 104 PID 4636 set thread context of 3568 4636 winlogon.exe 109 PID 4692 set thread context of 1384 4692 winlogon.exe 114 PID 2020 set thread context of 4888 2020 winlogon.exe 118 PID 4744 set thread context of 5044 4744 winlogon.exe 122 PID 4064 set thread context of 4528 4064 winlogon.exe 126 PID 3844 set thread context of 5068 3844 winlogon.exe 130 PID 2964 set thread context of 4840 2964 winlogon.exe 134 PID 224 set thread context of 976 224 winlogon.exe 138 PID 3712 set thread context of 4192 3712 winlogon.exe 142 PID 2508 set thread context of 528 2508 winlogon.exe 146 PID 960 set thread context of 4292 960 winlogon.exe 150 PID 3844 set thread context of 5084 3844 winlogon.exe 154 PID 4976 set thread context of 4028 4976 winlogon.exe 158 PID 3652 set thread context of 3016 3652 winlogon.exe 162 PID 3668 set thread context of 1168 3668 winlogon.exe 166 PID 116 set thread context of 1736 116 winlogon.exe 170 PID 3248 set thread context of 2756 3248 winlogon.exe 174 PID 1572 set thread context of 4800 1572 winlogon.exe 178 PID 2768 set thread context of 3168 2768 winlogon.exe 182 PID 316 set thread context of 4324 316 winlogon.exe 186 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSCLIENT V2.0.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe -
Enumerates system info in registry 2 TTPs 48 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3632 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSecurityPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemtimePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeBackupPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeRestorePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeShutdownPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeDebugPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeUndockPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeManageVolumePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeImpersonatePrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 33 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 34 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 35 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: 36 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3632 explorer.exe Token: SeSecurityPrivilege 3632 explorer.exe Token: SeTakeOwnershipPrivilege 3632 explorer.exe Token: SeLoadDriverPrivilege 3632 explorer.exe Token: SeSystemProfilePrivilege 3632 explorer.exe Token: SeSystemtimePrivilege 3632 explorer.exe Token: SeProfSingleProcessPrivilege 3632 explorer.exe Token: SeIncBasePriorityPrivilege 3632 explorer.exe Token: SeCreatePagefilePrivilege 3632 explorer.exe Token: SeBackupPrivilege 3632 explorer.exe Token: SeRestorePrivilege 3632 explorer.exe Token: SeShutdownPrivilege 3632 explorer.exe Token: SeDebugPrivilege 3632 explorer.exe Token: SeSystemEnvironmentPrivilege 3632 explorer.exe Token: SeChangeNotifyPrivilege 3632 explorer.exe Token: SeRemoteShutdownPrivilege 3632 explorer.exe Token: SeUndockPrivilege 3632 explorer.exe Token: SeManageVolumePrivilege 3632 explorer.exe Token: SeImpersonatePrivilege 3632 explorer.exe Token: SeCreateGlobalPrivilege 3632 explorer.exe Token: 33 3632 explorer.exe Token: 34 3632 explorer.exe Token: 35 3632 explorer.exe Token: 36 3632 explorer.exe Token: SeIncreaseQuotaPrivilege 1676 winlogon.exe Token: SeSecurityPrivilege 1676 winlogon.exe Token: SeTakeOwnershipPrivilege 1676 winlogon.exe Token: SeLoadDriverPrivilege 1676 winlogon.exe Token: SeSystemProfilePrivilege 1676 winlogon.exe Token: SeSystemtimePrivilege 1676 winlogon.exe Token: SeProfSingleProcessPrivilege 1676 winlogon.exe Token: SeIncBasePriorityPrivilege 1676 winlogon.exe Token: SeCreatePagefilePrivilege 1676 winlogon.exe Token: SeBackupPrivilege 1676 winlogon.exe Token: SeRestorePrivilege 1676 winlogon.exe Token: SeShutdownPrivilege 1676 winlogon.exe Token: SeDebugPrivilege 1676 winlogon.exe Token: SeSystemEnvironmentPrivilege 1676 winlogon.exe Token: SeChangeNotifyPrivilege 1676 winlogon.exe Token: SeRemoteShutdownPrivilege 1676 winlogon.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 3412 RSCLIENT V2.0.EXE 3632 explorer.exe 184 RSCLIENT V2.0.EXE 4492 RSCLIENT V2.0.EXE 4548 RSCLIENT V2.0.EXE 1364 RSCLIENT V2.0.EXE 4012 RSCLIENT V2.0.EXE 3788 RSCLIENT V2.0.EXE 700 RSCLIENT V2.0.EXE 4988 RSCLIENT V2.0.EXE 1868 RSCLIENT V2.0.EXE 1480 RSCLIENT V2.0.EXE 4752 RSCLIENT V2.0.EXE 4948 RSCLIENT V2.0.EXE 1036 RSCLIENT V2.0.EXE 4656 RSCLIENT V2.0.EXE 552 RSCLIENT V2.0.EXE 4696 RSCLIENT V2.0.EXE 3244 RSCLIENT V2.0.EXE 3424 RSCLIENT V2.0.EXE 3324 RSCLIENT V2.0.EXE 3652 RSCLIENT V2.0.EXE 4412 RSCLIENT V2.0.EXE 4120 RSCLIENT V2.0.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 2856 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 82 PID 4556 wrote to memory of 3412 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 87 PID 4556 wrote to memory of 3412 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 87 PID 4556 wrote to memory of 3412 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 87 PID 4556 wrote to memory of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 4556 wrote to memory of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 4556 wrote to memory of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 4556 wrote to memory of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 4556 wrote to memory of 3632 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 88 PID 4556 wrote to memory of 1676 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 89 PID 4556 wrote to memory of 1676 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 89 PID 4556 wrote to memory of 1676 4556 ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe 89 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 3632 wrote to memory of 2420 3632 explorer.exe 90 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91 PID 1676 wrote to memory of 4228 1676 winlogon.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea08892b4db745c9fe47e488ff859e44_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3412
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
PID:4228
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:184
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3268
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3404
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"4⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4548
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2360
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"5⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4636 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3568
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"6⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4692 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4012
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"7⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1384
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"7⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\notepad.exenotepad8⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3788
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"8⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:4888
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"8⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4744 -
C:\Windows\SysWOW64\notepad.exenotepad9⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:700
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"9⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5044
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"9⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4064 -
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4988
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"10⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4528
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"10⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\notepad.exenotepad11⤵
- Adds Run key to start application
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"11⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5068
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"11⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\notepad.exenotepad12⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"12⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:4840
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"12⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:224 -
C:\Windows\SysWOW64\notepad.exenotepad13⤵
- Adds Run key to start application
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"13⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:976
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"13⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3712 -
C:\Windows\SysWOW64\notepad.exenotepad14⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"14⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:4192
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"14⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\notepad.exenotepad15⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4676
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"15⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:528
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"15⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\notepad.exenotepad16⤵
- Adds Run key to start application
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1036
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"16⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4292
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"16⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3844 -
C:\Windows\SysWOW64\notepad.exenotepad17⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4656
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"17⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:5084
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"17⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\notepad.exenotepad18⤵
- Adds Run key to start application
PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"18⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4028
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"18⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3652 -
C:\Windows\SysWOW64\notepad.exenotepad19⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4696
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"19⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3016
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"19⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:3668 -
C:\Windows\SysWOW64\notepad.exenotepad20⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3244
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"20⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:1168
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"20⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:116 -
C:\Windows\SysWOW64\notepad.exenotepad21⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3424
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"21⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1736
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"21⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3248 -
C:\Windows\SysWOW64\notepad.exenotepad22⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"22⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2756
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"22⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\notepad.exenotepad23⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3652
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"23⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4800
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"23⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\notepad.exenotepad24⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"24⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3168
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"24⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\notepad.exenotepad25⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"C:\Users\Admin\AppData\Local\Temp\RSCLIENT V2.0.EXE"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4120
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"25⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4324
-
-
C:\Windows\SysWOW64\Wlnsxp\winlogon.exe"C:\Windows\system32\Wlnsxp\winlogon.exe"25⤵PID:3588
-
C:\Windows\SysWOW64\notepad.exenotepad26⤵PID:3248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD52a7cf13acb76bd371fc77250462deb7d
SHA11cec85761b0d62cf5da744adc2fb7c35a2934779
SHA256787c9933b171b34f77439c729bea9cf121c4d1336c5f037f55bb42115efd286d
SHA512161e315922983a9f729a972a1cb320f1762aff9d0708c68abaf559270ae409454af4496fd076c95ea219a3d9ca2794a0a934c6d4b539899617ff33f6638d8238
-
Filesize
817KB
MD5ea08892b4db745c9fe47e488ff859e44
SHA136d0b4980e40f343c272232f21ce012162cb3da0
SHA25662ba430c840b1ddbf9643a897f29c0af0dfda8f14878a0a825f8e49058ef2f6c
SHA5126009341d82b0507170798d87ebd21f541a71914530f159a0052547d8210af4c1fc600f8ba94b8f55c28b8747f76ff04bbc0b359b290b6ca996dcb82dfe8db9fd