darkcomet | 938bd9bc72679a0fa7c58952f47648187c7ff0b3fad92dae6826f3f82c42da1c

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\svchost\\svchost.exe"	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe

Modifies firewall policy service 3 TTPs 64 IoCs

defense_evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe

Windows security bypass 2 TTPs 32 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Checks BIOS information in registry 2 TTPs 33 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Deletes itself 1 IoCs

pid	Process
4200	notepad.exe

Executes dropped EXE 32 IoCs

pid	Process
1916	svchost.exe
5072	svchost.exe
4592	svchost.exe
1596	svchost.exe
1612	svchost.exe
4832	svchost.exe
4568	svchost.exe
1448	svchost.exe
1712	svchost.exe
3492	svchost.exe
4556	svchost.exe
5980	svchost.exe
5704	svchost.exe
2768	svchost.exe
4044	svchost.exe
5284	svchost.exe
6008	svchost.exe
2860	svchost.exe
628	svchost.exe
1708	svchost.exe
3732	svchost.exe
4968	svchost.exe
3052	svchost.exe
2900	svchost.exe
1804	svchost.exe
4196	svchost.exe
1932	svchost.exe
5072	svchost.exe
4596	svchost.exe
1936	svchost.exe
548	svchost.exe
4888	svchost.exe

Windows security modification 2 TTPs 16 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\svchost\\svchost.exe"	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\svchost\\svchost.exe"	notepad.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4872 set thread context of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 3800 set thread context of 5316	3800	explorer.exe	98
PID 1916 set thread context of 4592	1916	svchost.exe	99
PID 4592 set thread context of 4780	4592	svchost.exe	102
PID 5072 set thread context of 1596	5072	svchost.exe	100
PID 1596 set thread context of 4848	1596	svchost.exe	103
PID 4780 set thread context of 1168	4780	explorer.exe	104
PID 4848 set thread context of 652	4848	explorer.exe	105
PID 1612 set thread context of 4832	1612	svchost.exe	119
PID 4832 set thread context of 5716	4832	svchost.exe	120
PID 5716 set thread context of 5124	5716	explorer.exe	121
PID 4568 set thread context of 1448	4568	svchost.exe	127
PID 1448 set thread context of 5068	1448	svchost.exe	128
PID 5068 set thread context of 3264	5068	explorer.exe	129
PID 1712 set thread context of 3492	1712	svchost.exe	134
PID 3492 set thread context of 3252	3492	svchost.exe	135
PID 3252 set thread context of 3196	3252	explorer.exe	136
PID 4556 set thread context of 5980	4556	svchost.exe	144
PID 5980 set thread context of 1596	5980	svchost.exe	145
PID 1596 set thread context of 4708	1596	explorer.exe	146
PID 5704 set thread context of 2768	5704	svchost.exe	153
PID 2768 set thread context of 4764	2768	svchost.exe	154
PID 4764 set thread context of 4876	4764	explorer.exe	155
PID 4044 set thread context of 5284	4044	svchost.exe	159
PID 6008 set thread context of 2860	6008	svchost.exe	164
PID 2860 set thread context of 1296	2860	svchost.exe	165
PID 1296 set thread context of 868	1296	explorer.exe	166
PID 628 set thread context of 1708	628	svchost.exe	171
PID 1708 set thread context of 2176	1708	svchost.exe	172
PID 2176 set thread context of 4032	2176	explorer.exe	173
PID 3732 set thread context of 4968	3732	svchost.exe	177
PID 4968 set thread context of 3264	4968	svchost.exe	178
PID 3264 set thread context of 2324	3264	explorer.exe	179
PID 3052 set thread context of 2900	3052	svchost.exe	183
PID 2900 set thread context of 3252	2900	svchost.exe	184
PID 3252 set thread context of 5788	3252	explorer.exe	185
PID 1804 set thread context of 4196	1804	svchost.exe	189
PID 4196 set thread context of 808	4196	svchost.exe	190
PID 808 set thread context of 5500	808	explorer.exe	191
PID 1932 set thread context of 5072	1932	svchost.exe	195
PID 5072 set thread context of 4480	5072	svchost.exe	196
PID 4480 set thread context of 4776	4480	explorer.exe	197
PID 4596 set thread context of 1936	4596	svchost.exe	201
PID 1936 set thread context of 5204	1936	svchost.exe	202
PID 5204 set thread context of 1464	5204	explorer.exe	203
PID 548 set thread context of 4888	548	svchost.exe	207
PID 4888 set thread context of 4860	4888	svchost.exe	208
PID 4860 set thread context of 4060	4860	explorer.exe	209

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svchost\svchost.exe	notepad.exe
File created	C:\Windows\svchost\svchost.exe	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
File opened for modification	C:\Windows\svchost\svchost.exe	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
File opened for modification	C:\Windows\svchost\	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe

Enumerates system info in registry 2 TTPs 33 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5316	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeSecurityPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeTakeOwnershipPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeLoadDriverPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeSystemProfilePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeSystemtimePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeProfSingleProcessPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeIncBasePriorityPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeCreatePagefilePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeBackupPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeRestorePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeShutdownPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeDebugPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeSystemEnvironmentPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeChangeNotifyPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeRemoteShutdownPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeUndockPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeManageVolumePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeImpersonatePrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeCreateGlobalPrivilege	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: 33	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: 34	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: 35	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: 36	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
Token: SeIncreaseQuotaPrivilege	5316	explorer.exe
Token: SeSecurityPrivilege	5316	explorer.exe
Token: SeTakeOwnershipPrivilege	5316	explorer.exe
Token: SeLoadDriverPrivilege	5316	explorer.exe
Token: SeSystemProfilePrivilege	5316	explorer.exe
Token: SeSystemtimePrivilege	5316	explorer.exe
Token: SeProfSingleProcessPrivilege	5316	explorer.exe
Token: SeIncBasePriorityPrivilege	5316	explorer.exe
Token: SeCreatePagefilePrivilege	5316	explorer.exe
Token: SeBackupPrivilege	5316	explorer.exe
Token: SeRestorePrivilege	5316	explorer.exe
Token: SeShutdownPrivilege	5316	explorer.exe
Token: SeDebugPrivilege	5316	explorer.exe
Token: SeSystemEnvironmentPrivilege	5316	explorer.exe
Token: SeChangeNotifyPrivilege	5316	explorer.exe
Token: SeRemoteShutdownPrivilege	5316	explorer.exe
Token: SeUndockPrivilege	5316	explorer.exe
Token: SeManageVolumePrivilege	5316	explorer.exe
Token: SeImpersonatePrivilege	5316	explorer.exe
Token: SeCreateGlobalPrivilege	5316	explorer.exe
Token: 33	5316	explorer.exe
Token: 34	5316	explorer.exe
Token: 35	5316	explorer.exe
Token: 36	5316	explorer.exe
Token: SeIncreaseQuotaPrivilege	4592	svchost.exe
Token: SeSecurityPrivilege	4592	svchost.exe
Token: SeTakeOwnershipPrivilege	4592	svchost.exe
Token: SeLoadDriverPrivilege	4592	svchost.exe
Token: SeSystemProfilePrivilege	4592	svchost.exe
Token: SeSystemtimePrivilege	4592	svchost.exe
Token: SeProfSingleProcessPrivilege	4592	svchost.exe
Token: SeIncBasePriorityPrivilege	4592	svchost.exe
Token: SeCreatePagefilePrivilege	4592	svchost.exe
Token: SeBackupPrivilege	4592	svchost.exe
Token: SeRestorePrivilege	4592	svchost.exe
Token: SeShutdownPrivilege	4592	svchost.exe
Token: SeDebugPrivilege	4592	svchost.exe
Token: SeSystemEnvironmentPrivilege	4592	svchost.exe
Token: SeChangeNotifyPrivilege	4592	svchost.exe
Token: SeRemoteShutdownPrivilege	4592	svchost.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
3800	explorer.exe
1916	svchost.exe
5072	svchost.exe
4780	explorer.exe
4848	explorer.exe
1612	svchost.exe
5716	explorer.exe
4568	svchost.exe
5068	explorer.exe
1712	svchost.exe
3252	explorer.exe
4556	svchost.exe
1596	explorer.exe
5704	svchost.exe
4764	explorer.exe
4044	svchost.exe
6008	svchost.exe
1296	explorer.exe
628	svchost.exe
2176	explorer.exe
3732	svchost.exe
3264	explorer.exe
3052	svchost.exe
3252	explorer.exe
1804	svchost.exe
808	explorer.exe
1932	svchost.exe
4480	explorer.exe
4596	svchost.exe
5204	explorer.exe
548	svchost.exe
4860	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4428 wrote to memory of 4872	4428	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	86
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3884	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	90
PID 4872 wrote to memory of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 4872 wrote to memory of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 4872 wrote to memory of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 4872 wrote to memory of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 4872 wrote to memory of 3800	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	92
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 4872 wrote to memory of 4200	4872	JaffaCakes118_aafee799316c875555aa6e4b93910716.exe	95
PID 5600 wrote to memory of 1916	5600	cmd.exe	96
PID 5600 wrote to memory of 1916	5600	cmd.exe	96
PID 5600 wrote to memory of 1916	5600	cmd.exe	96
PID 2272 wrote to memory of 5072	2272	cmd.exe	97
PID 2272 wrote to memory of 5072	2272	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aafee799316c875555aa6e4b93910716.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aafee799316c875555aa6e4b93910716.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3884
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3800
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      Modifies firewall policy service
      Windows security bypass
      Checks BIOS information in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:5316
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5600
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1916
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4780
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5072
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1596
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4848
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:1076
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1612
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4832
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5716
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:5064
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4568
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1448
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5068
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:1524
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1712
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3492
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3252
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:2360
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4556
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5980
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1596
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:4168
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5704
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2768
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4764
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:2288
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4044
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5284
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:3752
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6008
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2860
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1296
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:2320
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:628
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1708
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2176
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:2008
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3732
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4968
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3264
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:1632
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3052
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2900
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      PID:3252
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:5200
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1804
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4196
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:808
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:752
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1932
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5072
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4480
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:4796
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4596
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1936
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5204
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\svchost\svchost.exe
1⤵
PID:5436
- C:\Windows\svchost\svchost.exe
  C:\Windows\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:548
- - C:\Windows\svchost\svchost.exe
    C:\Windows\svchost\svchost.exe
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4888
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4860
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Checks BIOS information in registry
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4060

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery