darkcomet | 628ff193256507f8c7ee292dbb844eb1af73dd40370225d07f91823f9b7a80bf

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2025, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Size

811KB
MD5

423e2a21a50500e685a172c24ec0f433
SHA1

f36cedcbc57957e9bc238e538b9057d4df66eaa7
SHA256

628ff193256507f8c7ee292dbb844eb1af73dd40370225d07f91823f9b7a80bf
SHA512

f33303b6db5cf4786debea19d7277e10f3067392989abf0f617ce79147c3a46244f710f9945ca640f4a092b49ba574280e55c7ecf02c8c76c7a28a3eb7668785
SSDEEP

24576:lAEENIq8XwyVPQclDq/+WnpsSdD0QZh9uL:lAEsw722Wn8L

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe"	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe,C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windark.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	windark.exe

Executes dropped EXE 23 IoCs

pid	Process
2832	windark.exe
2936	windark.exe
2904	windark.exe
1552	windark.exe
4500	windark.exe
1976	windark.exe
1224	windark.exe
3112	windark.exe
3028	windark.exe
1068	windark.exe
4640	windark.exe
5092	windark.exe
1908	windark.exe
208	windark.exe
4012	windark.exe
3936	windark.exe
4248	windark.exe
4980	windark.exe
988	windark.exe
4280	windark.exe
2348	windark.exe
3216	windark.exe
3868	windark.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windark = "C:\\Windows\\system32\\Windark\\windark.exe"	windark.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File created	C:\Windows\SysWOW64\Windark\windark.exe	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe
File opened for modification	C:\Windows\SysWOW64\Windark\	windark.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 23 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
436	PING.EXE
4016	PING.EXE
4840	PING.EXE
4744	PING.EXE
3400	PING.EXE
2036	PING.EXE
3464	PING.EXE
1948	PING.EXE
2856	PING.EXE
2044	PING.EXE
5112	PING.EXE
1356	PING.EXE
3304	PING.EXE
4156	PING.EXE
2136	PING.EXE
5016	PING.EXE
2320	PING.EXE
1332	PING.EXE
4564	PING.EXE
4868	PING.EXE
408	PING.EXE
4928	PING.EXE
4900	PING.EXE

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	windark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	windark.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	windark.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windark.exe

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
2320	PING.EXE
5016	PING.EXE
408	PING.EXE
5112	PING.EXE
1356	PING.EXE
4900	PING.EXE
4840	PING.EXE
1948	PING.EXE
4744	PING.EXE
2044	PING.EXE
3304	PING.EXE
4016	PING.EXE
1332	PING.EXE
3464	PING.EXE
2136	PING.EXE
4564	PING.EXE
2856	PING.EXE
4928	PING.EXE
3400	PING.EXE
2036	PING.EXE
436	PING.EXE
4156	PING.EXE
4868	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeSecurityPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeTakeOwnershipPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeLoadDriverPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeSystemProfilePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeSystemtimePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeProfSingleProcessPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeIncBasePriorityPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeCreatePagefilePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeBackupPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeRestorePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeShutdownPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeDebugPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeSystemEnvironmentPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeChangeNotifyPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeRemoteShutdownPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeUndockPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeManageVolumePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeImpersonatePrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeCreateGlobalPrivilege	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: 33	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: 34	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: 35	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: 36	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
Token: SeIncreaseQuotaPrivilege	2832	windark.exe
Token: SeSecurityPrivilege	2832	windark.exe
Token: SeTakeOwnershipPrivilege	2832	windark.exe
Token: SeLoadDriverPrivilege	2832	windark.exe
Token: SeSystemProfilePrivilege	2832	windark.exe
Token: SeSystemtimePrivilege	2832	windark.exe
Token: SeProfSingleProcessPrivilege	2832	windark.exe
Token: SeIncBasePriorityPrivilege	2832	windark.exe
Token: SeCreatePagefilePrivilege	2832	windark.exe
Token: SeBackupPrivilege	2832	windark.exe
Token: SeRestorePrivilege	2832	windark.exe
Token: SeShutdownPrivilege	2832	windark.exe
Token: SeDebugPrivilege	2832	windark.exe
Token: SeSystemEnvironmentPrivilege	2832	windark.exe
Token: SeChangeNotifyPrivilege	2832	windark.exe
Token: SeRemoteShutdownPrivilege	2832	windark.exe
Token: SeUndockPrivilege	2832	windark.exe
Token: SeManageVolumePrivilege	2832	windark.exe
Token: SeImpersonatePrivilege	2832	windark.exe
Token: SeCreateGlobalPrivilege	2832	windark.exe
Token: 33	2832	windark.exe
Token: 34	2832	windark.exe
Token: 35	2832	windark.exe
Token: 36	2832	windark.exe
Token: SeIncreaseQuotaPrivilege	2936	windark.exe
Token: SeSecurityPrivilege	2936	windark.exe
Token: SeTakeOwnershipPrivilege	2936	windark.exe
Token: SeLoadDriverPrivilege	2936	windark.exe
Token: SeSystemProfilePrivilege	2936	windark.exe
Token: SeSystemtimePrivilege	2936	windark.exe
Token: SeProfSingleProcessPrivilege	2936	windark.exe
Token: SeIncBasePriorityPrivilege	2936	windark.exe
Token: SeCreatePagefilePrivilege	2936	windark.exe
Token: SeBackupPrivilege	2936	windark.exe
Token: SeRestorePrivilege	2936	windark.exe
Token: SeShutdownPrivilege	2936	windark.exe
Token: SeDebugPrivilege	2936	windark.exe
Token: SeSystemEnvironmentPrivilege	2936	windark.exe
Token: SeChangeNotifyPrivilege	2936	windark.exe
Token: SeRemoteShutdownPrivilege	2936	windark.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2832	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	84
PID 2720 wrote to memory of 2832	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	84
PID 2720 wrote to memory of 2832	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	84
PID 2720 wrote to memory of 2492	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	85
PID 2720 wrote to memory of 2492	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	85
PID 2720 wrote to memory of 2492	2720	JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe	85
PID 2492 wrote to memory of 2320	2492	cmd.exe	87
PID 2492 wrote to memory of 2320	2492	cmd.exe	87
PID 2492 wrote to memory of 2320	2492	cmd.exe	87
PID 2832 wrote to memory of 2936	2832	windark.exe	88
PID 2832 wrote to memory of 2936	2832	windark.exe	88
PID 2832 wrote to memory of 2936	2832	windark.exe	88
PID 2832 wrote to memory of 3952	2832	windark.exe	89
PID 2832 wrote to memory of 3952	2832	windark.exe	89
PID 2832 wrote to memory of 3952	2832	windark.exe	89
PID 3952 wrote to memory of 2036	3952	cmd.exe	91
PID 3952 wrote to memory of 2036	3952	cmd.exe	91
PID 3952 wrote to memory of 2036	3952	cmd.exe	91
PID 2936 wrote to memory of 2904	2936	windark.exe	98
PID 2936 wrote to memory of 2904	2936	windark.exe	98
PID 2936 wrote to memory of 2904	2936	windark.exe	98
PID 2936 wrote to memory of 3684	2936	windark.exe	99
PID 2936 wrote to memory of 3684	2936	windark.exe	99
PID 2936 wrote to memory of 3684	2936	windark.exe	99
PID 3684 wrote to memory of 436	3684	cmd.exe	101
PID 3684 wrote to memory of 436	3684	cmd.exe	101
PID 3684 wrote to memory of 436	3684	cmd.exe	101
PID 2904 wrote to memory of 1552	2904	windark.exe	108
PID 2904 wrote to memory of 1552	2904	windark.exe	108
PID 2904 wrote to memory of 1552	2904	windark.exe	108
PID 2904 wrote to memory of 4456	2904	windark.exe	109
PID 2904 wrote to memory of 4456	2904	windark.exe	109
PID 2904 wrote to memory of 4456	2904	windark.exe	109
PID 4456 wrote to memory of 4156	4456	cmd.exe	111
PID 4456 wrote to memory of 4156	4456	cmd.exe	111
PID 4456 wrote to memory of 4156	4456	cmd.exe	111
PID 1552 wrote to memory of 4500	1552	windark.exe	114
PID 1552 wrote to memory of 4500	1552	windark.exe	114
PID 1552 wrote to memory of 4500	1552	windark.exe	114
PID 1552 wrote to memory of 4164	1552	windark.exe	115
PID 1552 wrote to memory of 4164	1552	windark.exe	115
PID 1552 wrote to memory of 4164	1552	windark.exe	115
PID 4164 wrote to memory of 4900	4164	cmd.exe	117
PID 4164 wrote to memory of 4900	4164	cmd.exe	117
PID 4164 wrote to memory of 4900	4164	cmd.exe	117
PID 4500 wrote to memory of 1976	4500	windark.exe	119
PID 4500 wrote to memory of 1976	4500	windark.exe	119
PID 4500 wrote to memory of 1976	4500	windark.exe	119
PID 4500 wrote to memory of 5116	4500	windark.exe	120
PID 4500 wrote to memory of 5116	4500	windark.exe	120
PID 4500 wrote to memory of 5116	4500	windark.exe	120
PID 5116 wrote to memory of 3304	5116	cmd.exe	122
PID 5116 wrote to memory of 3304	5116	cmd.exe	122
PID 5116 wrote to memory of 3304	5116	cmd.exe	122
PID 1976 wrote to memory of 1224	1976	windark.exe	123
PID 1976 wrote to memory of 1224	1976	windark.exe	123
PID 1976 wrote to memory of 1224	1976	windark.exe	123
PID 1976 wrote to memory of 2492	1976	windark.exe	124
PID 1976 wrote to memory of 2492	1976	windark.exe	124
PID 1976 wrote to memory of 2492	1976	windark.exe	124
PID 2492 wrote to memory of 4016	2492	cmd.exe	126
PID 2492 wrote to memory of 4016	2492	cmd.exe	126
PID 2492 wrote to memory of 4016	2492	cmd.exe	126
PID 1224 wrote to memory of 3112	1224	windark.exe	127

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_423e2a21a50500e685a172c24ec0f433.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Windark\windark.exe
  "C:\Windows\system32\Windark\windark.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Windark\windark.exe
    "C:\Windows\system32\Windark\windark.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\Windark\windark.exe
      "C:\Windows\system32\Windark\windark.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Windark\windark.exe
        
        "C:\Windows\system32\Windark\windark.exe"
        25⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        25⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        15⤵
        
        PID:216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        14⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        11⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
119B

MD5
df477d04c257623c6b27d53f5d7825e2

SHA1
cb1824486bd1abebd866bc2e640c4daec221e93c

SHA256
80e438064dd912c9e30a89e5d52c7ce78a8f676ef46c32fd98a78d1fde01210c

SHA512
592ae3e2e07060dc8acd99fe2fe2c54f2a2a4f54ad8310bffb55303838a076246c422bb9e7bec1197307dc743df8da8a0020b88d6165119e32e5e6ce344fe040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
74B

MD5
096f7e12ac4d9c311ca4260bdfe7f5c2

SHA1
fca64a8d081ec220e8b449c9cd7d391d5f154c8b

SHA256
c2d1eb36fc8d04928d4763e3c4e3a7f9b62ea03a49fa87f85f6c20418f8b8154

SHA512
94444ae692ed7ccca0d04fae8637718ebbc2c7e1429284f865b91f42593a0f45d05d89899c7129ac149079ff658c2c93ba5be0e4218fd80f67e7d2feaa595b69

Download Submit
C:\Windows\SysWOW64\Windark\windark.exe

Filesize
811KB

MD5
423e2a21a50500e685a172c24ec0f433

SHA1
f36cedcbc57957e9bc238e538b9057d4df66eaa7

SHA256
628ff193256507f8c7ee292dbb844eb1af73dd40370225d07f91823f9b7a80bf

SHA512
f33303b6db5cf4786debea19d7277e10f3067392989abf0f617ce79147c3a46244f710f9945ca640f4a092b49ba574280e55c7ecf02c8c76c7a28a3eb7668785

Download Submit
memory/208-123-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/988-153-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1068-99-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1224-81-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1552-63-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1908-117-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1976-75-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2348-165-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2720-0-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2720-39-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2832-45-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2832-38-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2904-57-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2936-51-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3028-93-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3112-87-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3216-170-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3868-174-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/3936-135-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4012-129-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4248-141-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4280-159-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4500-69-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4640-105-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4980-147-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5092-111-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads