description	ioc	Process
File created	C:\Windows\system32\usPZ\WindowsAnytimeUpgradeResults.exe	cmd.exe
File opened for modification	C:\Windows\system32\usPZ\WindowsAnytimeUpgradeResults.exe	cmd.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\2G0GxB.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell\open	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\MSCFile\shell	Process not Found

pid	Process
2436	rundll32.exe
2436	rundll32.exe
2436	rundll32.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

description	pid	Process	procid_target
PID 1272 wrote to memory of 3008	1272	Process not Found	29
PID 1272 wrote to memory of 3008	1272	Process not Found	29
PID 1272 wrote to memory of 3008	1272	Process not Found	29
PID 1272 wrote to memory of 3012	1272	Process not Found	31
PID 1272 wrote to memory of 3012	1272	Process not Found	31
PID 1272 wrote to memory of 3012	1272	Process not Found	31
PID 1272 wrote to memory of 2816	1272	Process not Found	32
PID 1272 wrote to memory of 2816	1272	Process not Found	32
PID 1272 wrote to memory of 2816	1272	Process not Found	32
PID 1272 wrote to memory of 3024	1272	Process not Found	33
PID 1272 wrote to memory of 3024	1272	Process not Found	33
PID 1272 wrote to memory of 3024	1272	Process not Found	33
PID 1272 wrote to memory of 1216	1272	Process not Found	35
PID 1272 wrote to memory of 1216	1272	Process not Found	35
PID 1272 wrote to memory of 1216	1272	Process not Found	35
PID 1216 wrote to memory of 1516	1216	eventvwr.exe	36
PID 1216 wrote to memory of 1516	1216	eventvwr.exe	36
PID 1216 wrote to memory of 1516	1216	eventvwr.exe	36
PID 1516 wrote to memory of 1228	1516	cmd.exe	38
PID 1516 wrote to memory of 1228	1516	cmd.exe	38
PID 1516 wrote to memory of 1228	1516	cmd.exe	38
PID 1272 wrote to memory of 2200	1272	Process not Found	39
PID 1272 wrote to memory of 2200	1272	Process not Found	39
PID 1272 wrote to memory of 2200	1272	Process not Found	39
PID 2200 wrote to memory of 1656	2200	cmd.exe	41
PID 2200 wrote to memory of 1656	2200	cmd.exe	41
PID 2200 wrote to memory of 1656	2200	cmd.exe	41
PID 1272 wrote to memory of 1620	1272	Process not Found	42
PID 1272 wrote to memory of 1620	1272	Process not Found	42
PID 1272 wrote to memory of 1620	1272	Process not Found	42
PID 1620 wrote to memory of 1584	1620	cmd.exe	44
PID 1620 wrote to memory of 1584	1620	cmd.exe	44
PID 1620 wrote to memory of 1584	1620	cmd.exe	44
PID 1272 wrote to memory of 380	1272	Process not Found	45
PID 1272 wrote to memory of 380	1272	Process not Found	45
PID 1272 wrote to memory of 380	1272	Process not Found	45
PID 380 wrote to memory of 696	380	cmd.exe	47
PID 380 wrote to memory of 696	380	cmd.exe	47
PID 380 wrote to memory of 696	380	cmd.exe	47
PID 1272 wrote to memory of 752	1272	Process not Found	48
PID 1272 wrote to memory of 752	1272	Process not Found	48
PID 1272 wrote to memory of 752	1272	Process not Found	48
PID 752 wrote to memory of 2616	752	cmd.exe	50
PID 752 wrote to memory of 2616	752	cmd.exe	50
PID 752 wrote to memory of 2616	752	cmd.exe	50
PID 1272 wrote to memory of 1524	1272	Process not Found	51
PID 1272 wrote to memory of 1524	1272	Process not Found	51
PID 1272 wrote to memory of 1524	1272	Process not Found	51
PID 1524 wrote to memory of 1376	1524	cmd.exe	53
PID 1524 wrote to memory of 1376	1524	cmd.exe	53
PID 1524 wrote to memory of 1376	1524	cmd.exe	53
PID 1272 wrote to memory of 2072	1272	Process not Found	54
PID 1272 wrote to memory of 2072	1272	Process not Found	54
PID 1272 wrote to memory of 2072	1272	Process not Found	54
PID 2072 wrote to memory of 1364	2072	cmd.exe	56
PID 2072 wrote to memory of 1364	2072	cmd.exe	56
PID 2072 wrote to memory of 1364	2072	cmd.exe	56

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads