47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

Analysis

max time kernel
188s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Size

275KB
MD5

3bfe4b1936c05e45349746ed9adb36e3
SHA1

938998c4f5d4258577a99771df249e4d36a32f07
SHA256

47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d
SHA512

2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65
SSDEEP

6144:yCETCo8xh5516v+2UUA/HH6s7ejUxVPw/8kfvpIW06fc1:ueoMLl2UUmLlxtw/82Iafc

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

system.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Windows\\system32\\system\\system.exe\""	system.exe

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exesystem.exesystem.exe47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe

Executes dropped EXE 51 IoCs

Processes:

system.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	process
268	system.exe
1496	system.exe
1568	system.exe
1072	system.exe
316	system.exe
872	system.exe
888	system.exe
1516	system.exe
1636	system.exe
1616	system.exe
308	system.exe
568	system.exe
1500	system.exe
700	system.exe
1044	system.exe
1576	system.exe
1796	system.exe
1764	system.exe
1400	system.exe
1600	system.exe
1360	system.exe
576	system.exe
2036	system.exe
1728	system.exe
328	system.exe
844	system.exe
1880	system.exe
1172	system.exe
1744	system.exe
2008	system.exe
1188	system.exe
1716	system.exe
1732	system.exe
1632	system.exe
1624	system.exe
108	system.exe
1408	system.exe
1296	system.exe
1948	system.exe
896	system.exe
1876	system.exe
1120	system.exe
1872	system.exe
1972	system.exe
1736	system.exe
1688	system.exe
1212	system.exe
1196	system.exe
2020	system.exe
1808	system.exe
468	system.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Windows\\system32\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2J58XP0K-ERQO-J3F4-1E5X-JB44DFP82S24}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe restart"	system.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1352-57-0x0000000002A80000-0x0000000002B69000-memory.dmp	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1352-61-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
C:\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/268-64-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1496-74-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1568-77-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/1568-83-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
behavioral1/memory/1072-84-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
C:\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1072-90-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/316-93-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/872-98-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/872-104-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/888-106-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/888-112-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/1516-113-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/1516-119-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
behavioral1/memory/1636-121-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/1636-126-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/1616-129-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
\Windows\SysWOW64\system\system.exe	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Windows\SysWOW64\system\system.exe	upx
behavioral1/memory/308-135-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Windows\SysWOW64\system\system.exe	upx
\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/308-140-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\system\system.exe	upx
behavioral1/memory/568-142-0x0000000000C80000-0x0000000000D69000-memory.dmp	upx

Loads dropped DLL 64 IoCs

Processes:

pid	process
1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
268	system.exe
268	system.exe
1496	system.exe
1496	system.exe
1568	system.exe
1072	system.exe
1072	system.exe
316	system.exe
872	system.exe
872	system.exe
888	system.exe
1516	system.exe
1516	system.exe
1636	system.exe
1616	system.exe
1616	system.exe
308	system.exe
568	system.exe
568	system.exe
1500	system.exe
700	system.exe
700	system.exe
1044	system.exe
1576	system.exe
1576	system.exe
1796	system.exe
1764	system.exe
1764	system.exe
1400	system.exe
1600	system.exe
1600	system.exe
1360	system.exe
576	system.exe
576	system.exe
2036	system.exe
1728	system.exe
1728	system.exe
328	system.exe
844	system.exe
844	system.exe
1880	system.exe
1172	system.exe
1172	system.exe
1744	system.exe
2008	system.exe
2008	system.exe
1188	system.exe
1716	system.exe
1716	system.exe
1732	system.exe
1632	system.exe
1632	system.exe
1624	system.exe
108	system.exe
108	system.exe
1408	system.exe
1296	system.exe
1296	system.exe
1948	system.exe
896	system.exe
896	system.exe
1876	system.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\system\\system.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Server = "C:\\Windows\\system32\\system\\system.exe"	system.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	system.exe
File created	C:\Windows\SysWOW64\system\system.exe	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1352 wrote to memory of 268	1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe	system.exe
PID 1352 wrote to memory of 268	1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe	system.exe
PID 1352 wrote to memory of 268	1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe	system.exe
PID 1352 wrote to memory of 268	1352	47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe	system.exe
PID 268 wrote to memory of 1496	268	system.exe	system.exe
PID 268 wrote to memory of 1496	268	system.exe	system.exe
PID 268 wrote to memory of 1496	268	system.exe	system.exe
PID 268 wrote to memory of 1496	268	system.exe	system.exe
PID 1496 wrote to memory of 1568	1496	system.exe	system.exe
PID 1496 wrote to memory of 1568	1496	system.exe	system.exe
PID 1496 wrote to memory of 1568	1496	system.exe	system.exe
PID 1496 wrote to memory of 1568	1496	system.exe	system.exe
PID 1568 wrote to memory of 1072	1568	system.exe	system.exe
PID 1568 wrote to memory of 1072	1568	system.exe	system.exe
PID 1568 wrote to memory of 1072	1568	system.exe	system.exe
PID 1568 wrote to memory of 1072	1568	system.exe	system.exe
PID 1072 wrote to memory of 316	1072	system.exe	system.exe
PID 1072 wrote to memory of 316	1072	system.exe	system.exe
PID 1072 wrote to memory of 316	1072	system.exe	system.exe
PID 1072 wrote to memory of 316	1072	system.exe	system.exe
PID 316 wrote to memory of 872	316	system.exe	system.exe
PID 316 wrote to memory of 872	316	system.exe	system.exe
PID 316 wrote to memory of 872	316	system.exe	system.exe
PID 316 wrote to memory of 872	316	system.exe	system.exe
PID 872 wrote to memory of 888	872	system.exe	system.exe
PID 872 wrote to memory of 888	872	system.exe	system.exe
PID 872 wrote to memory of 888	872	system.exe	system.exe
PID 872 wrote to memory of 888	872	system.exe	system.exe
PID 888 wrote to memory of 1516	888	system.exe	system.exe
PID 888 wrote to memory of 1516	888	system.exe	system.exe
PID 888 wrote to memory of 1516	888	system.exe	system.exe
PID 888 wrote to memory of 1516	888	system.exe	system.exe
PID 1516 wrote to memory of 1636	1516	system.exe	system.exe
PID 1516 wrote to memory of 1636	1516	system.exe	system.exe
PID 1516 wrote to memory of 1636	1516	system.exe	system.exe
PID 1516 wrote to memory of 1636	1516	system.exe	system.exe
PID 1636 wrote to memory of 1616	1636	system.exe	system.exe
PID 1636 wrote to memory of 1616	1636	system.exe	system.exe
PID 1636 wrote to memory of 1616	1636	system.exe	system.exe
PID 1636 wrote to memory of 1616	1636	system.exe	system.exe
PID 1616 wrote to memory of 308	1616	system.exe	system.exe
PID 1616 wrote to memory of 308	1616	system.exe	system.exe
PID 1616 wrote to memory of 308	1616	system.exe	system.exe
PID 1616 wrote to memory of 308	1616	system.exe	system.exe
PID 308 wrote to memory of 568	308	system.exe	system.exe
PID 308 wrote to memory of 568	308	system.exe	system.exe
PID 308 wrote to memory of 568	308	system.exe	system.exe
PID 308 wrote to memory of 568	308	system.exe	system.exe
PID 568 wrote to memory of 1500	568	system.exe	system.exe
PID 568 wrote to memory of 1500	568	system.exe	system.exe
PID 568 wrote to memory of 1500	568	system.exe	system.exe
PID 568 wrote to memory of 1500	568	system.exe	system.exe
PID 1500 wrote to memory of 700	1500	system.exe	system.exe
PID 1500 wrote to memory of 700	1500	system.exe	system.exe
PID 1500 wrote to memory of 700	1500	system.exe	system.exe
PID 1500 wrote to memory of 700	1500	system.exe	system.exe
PID 700 wrote to memory of 1044	700	system.exe	system.exe
PID 700 wrote to memory of 1044	700	system.exe	system.exe
PID 700 wrote to memory of 1044	700	system.exe	system.exe
PID 700 wrote to memory of 1044	700	system.exe	system.exe
PID 1044 wrote to memory of 1576	1044	system.exe	system.exe
PID 1044 wrote to memory of 1576	1044	system.exe	system.exe
PID 1044 wrote to memory of 1576	1044	system.exe	system.exe
PID 1044 wrote to memory of 1576	1044	system.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe
"C:\Users\Admin\AppData\Local\Temp\47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
7⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
8⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
9⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
10⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
11⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
12⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
14⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
15⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
16⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
17⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1576

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1796

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
19⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1764

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
20⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1400

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
21⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1600

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
22⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1360

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
23⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:576

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
24⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2036

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
25⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:1728

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
26⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:328

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
27⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:844

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
28⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1880

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
29⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1172

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
30⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1744

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
31⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2008

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
32⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1188

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
33⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1716

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
34⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1732

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
35⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1632

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
36⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1624

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
37⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
PID:108

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
38⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1408

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
39⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
PID:1296

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
40⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1948

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
41⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:896

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:1876

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
43⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1120

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1872

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
45⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Drops file in System32 directory
PID:1972

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
46⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
PID:1736

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
47⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:1688

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
48⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:1212

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
49⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1196

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
50⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
PID:2020

C:\Users\Admin\AppData\Roaming\system\system.exe
"C:\Users\Admin\AppData\Roaming\system\system.exe"
51⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:1808

C:\Windows\SysWOW64\system\system.exe
"C:\Windows\system32\system\system.exe"
52⤵
- Executes dropped EXE
PID:468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
C:\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Users\Admin\AppData\Roaming\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
\Windows\SysWOW64\system\system.exe
Filesize
275KB

MD5
3bfe4b1936c05e45349746ed9adb36e3

SHA1
938998c4f5d4258577a99771df249e4d36a32f07

SHA256
47739c4d3babe63922e4b49f098d616769d7beb5bffb3572e4e87b50a3f1ac7d

SHA512
2ccfd80020aff6d14a9ba8c9b438a64dc61c7315f0d27af5ffcfd76d6ac364972aacf0d41f2f53ea0710903757b1789e0b56dd6055e0cda46875e5a3522c2c65

Download Submit
memory/108-252-0x0000000000000000-mapping.dmp

Download
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/268-64-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/308-132-0x0000000000000000-mapping.dmp

Download
memory/308-135-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/308-140-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/316-93-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/316-88-0x0000000000000000-mapping.dmp

Download
memory/328-214-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/328-216-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/328-211-0x0000000000000000-mapping.dmp

Download
memory/468-309-0x0000000000000000-mapping.dmp

Download
memory/568-142-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/568-148-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/568-138-0x0000000000000000-mapping.dmp

Download
memory/576-205-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/576-202-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/576-199-0x0000000000000000-mapping.dmp

Download
memory/700-162-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/700-156-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/700-152-0x0000000000000000-mapping.dmp

Download
memory/844-220-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/844-218-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/844-215-0x0000000000000000-mapping.dmp

Download
memory/872-104-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/872-95-0x0000000000000000-mapping.dmp

Download
memory/872-98-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/888-112-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/888-106-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/888-102-0x0000000000000000-mapping.dmp

Download
memory/896-268-0x0000000000000000-mapping.dmp

Download
memory/1044-160-0x0000000000000000-mapping.dmp

Download
memory/1044-170-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1044-164-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1072-90-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1072-84-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1072-80-0x0000000000000000-mapping.dmp

Download
memory/1120-275-0x0000000000000000-mapping.dmp

Download
memory/1172-223-0x0000000000000000-mapping.dmp

Download
memory/1172-226-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1172-229-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1188-241-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1188-235-0x0000000000000000-mapping.dmp

Download
memory/1188-238-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1196-298-0x0000000000000000-mapping.dmp

Download
memory/1212-294-0x0000000000000000-mapping.dmp

Download
memory/1296-260-0x0000000000000000-mapping.dmp

Download
memory/1352-61-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1352-54-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1352-57-0x0000000002A80000-0x0000000002B69000-memory.dmp

Filesize
932KB

Download
memory/1352-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1360-195-0x0000000000000000-mapping.dmp

Download
memory/1360-201-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1360-198-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1400-194-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1400-188-0x0000000000000000-mapping.dmp

Download
memory/1400-191-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1408-256-0x0000000000000000-mapping.dmp

Download
memory/1496-67-0x0000000000000000-mapping.dmp

Download
memory/1496-74-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1500-154-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1500-146-0x0000000000000000-mapping.dmp

Download
memory/1516-109-0x0000000000000000-mapping.dmp

Download
memory/1516-113-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1516-119-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1568-73-0x0000000000000000-mapping.dmp

Download
memory/1568-77-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1568-83-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1576-178-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1576-171-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1576-167-0x0000000000000000-mapping.dmp

Download
memory/1600-192-0x0000000000000000-mapping.dmp

Download
memory/1600-196-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1616-129-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1616-124-0x0000000000000000-mapping.dmp

Download
memory/1624-249-0x0000000000000000-mapping.dmp

Download
memory/1624-254-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1632-246-0x0000000000000000-mapping.dmp

Download
memory/1632-250-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1636-126-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1636-121-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1636-117-0x0000000000000000-mapping.dmp

Download
memory/1688-290-0x0000000000000000-mapping.dmp

Download
memory/1716-239-0x0000000000000000-mapping.dmp

Download
memory/1716-243-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1728-213-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1728-207-0x0000000000000000-mapping.dmp

Download
memory/1728-210-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1732-242-0x0000000000000000-mapping.dmp

Download
memory/1732-248-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1732-245-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1736-287-0x0000000000000000-mapping.dmp

Download
memory/1744-230-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1744-227-0x0000000000000000-mapping.dmp

Download
memory/1744-233-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1764-190-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1764-186-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1764-182-0x0000000000000000-mapping.dmp

Download
memory/1796-179-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1796-185-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1796-175-0x0000000000000000-mapping.dmp

Download
memory/1808-306-0x0000000000000000-mapping.dmp

Download
memory/1872-279-0x0000000000000000-mapping.dmp

Download
memory/1876-272-0x0000000000000000-mapping.dmp

Download
memory/1880-222-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1880-219-0x0000000000000000-mapping.dmp

Download
memory/1880-225-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/1948-264-0x0000000000000000-mapping.dmp

Download
memory/1972-283-0x0000000000000000-mapping.dmp

Download
memory/2008-231-0x0000000000000000-mapping.dmp

Download
memory/2008-234-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/2008-237-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/2020-302-0x0000000000000000-mapping.dmp

Download
memory/2036-203-0x0000000000000000-mapping.dmp

Download
memory/2036-206-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download
memory/2036-208-0x0000000000C80000-0x0000000000D69000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads