38b9b8ce46960c89911829a3d09c9fa2f61fd8a9a634f4293cc625dcf65803b3

Analysis

max time kernel
124s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c3fda4ff09940ca177d13c0bb3f187.exe
Size

422KB
MD5

00c3fda4ff09940ca177d13c0bb3f187
SHA1

eb366e746c352d9b55661f46a57d44990162b808
SHA256

38b9b8ce46960c89911829a3d09c9fa2f61fd8a9a634f4293cc625dcf65803b3
SHA512

7eb0f82ed64e1c5071b276cf478754f9163ab70d45eb7f1888175de2db701e8a6378fb661440d0212137302fa8059d2a40db019b28ac196a2bace19898984faf
SSDEEP

6144:3/2aLWp4E0ETZY1T23Eu0i67n4+f74PEAh2g/JS8A77iiYce47jstv6DJg:3/2MWZZJUpi64i4PT5Ipnre4soDO

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\pG21800AlLfC21800\\pG21800AlLfC21800.exe"	00c3fda4ff09940ca177d13c0bb3f187.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	pG21800AlLfC21800.exe

Modifies Installed Components in the registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
4852	pG21800AlLfC21800.exe

Executes dropped EXE 1 IoCs

pid	Process
4852	pG21800AlLfC21800.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5080-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/5080-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/5080-19-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4852-21-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4852-27-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4852-34-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4852-36-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4852-37-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pG21800AlLfC21800 = "C:\\ProgramData\\pG21800AlLfC21800\\pG21800AlLfC21800.exe"	pG21800AlLfC21800.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1128	5080	WerFault.exe	87
2052	4852	WerFault.exe	105

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{40E5C5A4-0159-44C9-A3C5-2E4A0BF7AED5}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{2BD8ED49-C02F-48A2-AD12-8CEBE046C3A9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{2BAB2E55-6B7C-44B5-8A34-5C98E2F21231}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{50B20D45-41FD-4E00-9C20-65877D5DCB55}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{E293AC14-B1E3-4620-8FA4-D72AB151240D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{8AD603EE-03AC-49FE-ADD6-E9FFC3C77981}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{A589D1D6-6CE7-4276-99C5-78C447B6BE39}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{D911EA6D-EAE4-4A90-8568-E61ABF854411}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{37911D55-3E5B-4F23-94BF-83649E6966DE}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{A76123B7-A5B5-4B86-AFF3-D68C0FCC08D6}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe
5080	00c3fda4ff09940ca177d13c0bb3f187.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	00c3fda4ff09940ca177d13c0bb3f187.exe
Token: SeDebugPrivilege	4852	pG21800AlLfC21800.exe
Token: SeShutdownPrivilege	3624	explorer.exe
Token: SeCreatePagefilePrivilege	3624	explorer.exe
Token: SeShutdownPrivilege	3624	explorer.exe
Token: SeCreatePagefilePrivilege	3624	explorer.exe
Token: SeShutdownPrivilege	3624	explorer.exe
Token: SeCreatePagefilePrivilege	3624	explorer.exe
Token: SeShutdownPrivilege	3624	explorer.exe
Token: SeCreatePagefilePrivilege	3624	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeCreatePagefilePrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeCreatePagefilePrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeCreatePagefilePrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeCreatePagefilePrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	4708	explorer.exe
Token: SeCreatePagefilePrivilege	4708	explorer.exe
Token: SeShutdownPrivilege	4708	explorer.exe
Token: SeCreatePagefilePrivilege	4708	explorer.exe
Token: SeShutdownPrivilege	4708	explorer.exe
Token: SeCreatePagefilePrivilege	4708	explorer.exe
Token: SeShutdownPrivilege	4708	explorer.exe
Token: SeCreatePagefilePrivilege	4708	explorer.exe
Token: SeShutdownPrivilege	3228	explorer.exe
Token: SeCreatePagefilePrivilege	3228	explorer.exe
Token: SeShutdownPrivilege	3228	explorer.exe
Token: SeCreatePagefilePrivilege	3228	explorer.exe
Token: SeShutdownPrivilege	3228	explorer.exe
Token: SeCreatePagefilePrivilege	3228	explorer.exe
Token: SeShutdownPrivilege	3228	explorer.exe
Token: SeCreatePagefilePrivilege	3228	explorer.exe
Token: SeShutdownPrivilege	2512	explorer.exe
Token: SeCreatePagefilePrivilege	2512	explorer.exe
Token: SeShutdownPrivilege	2512	explorer.exe
Token: SeCreatePagefilePrivilege	2512	explorer.exe
Token: SeShutdownPrivilege	2512	explorer.exe
Token: SeCreatePagefilePrivilege	2512	explorer.exe
Token: SeShutdownPrivilege	2512	explorer.exe
Token: SeCreatePagefilePrivilege	2512	explorer.exe
Token: SeShutdownPrivilege	2512	explorer.exe
Token: SeCreatePagefilePrivilege	2512	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	4640	explorer.exe
Token: SeCreatePagefilePrivilege	4640	explorer.exe
Token: SeShutdownPrivilege	4640	explorer.exe
Token: SeCreatePagefilePrivilege	4640	explorer.exe
Token: SeShutdownPrivilege	4640	explorer.exe
Token: SeCreatePagefilePrivilege	4640	explorer.exe
Token: SeShutdownPrivilege	4640	explorer.exe
Token: SeCreatePagefilePrivilege	4640	explorer.exe
Token: SeShutdownPrivilege	3124	explorer.exe
Token: SeCreatePagefilePrivilege	3124	explorer.exe
Token: SeShutdownPrivilege	3124	explorer.exe
Token: SeCreatePagefilePrivilege	3124	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4672	sihost.exe
1080	sihost.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3816	sihost.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
4852	pG21800AlLfC21800.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
3124	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
3624	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
4852	pG21800AlLfC21800.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
3228	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
2512	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
4640	explorer.exe
3124	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3584	OfficeClickToRun.exe
4852	pG21800AlLfC21800.exe
4852	pG21800AlLfC21800.exe
4040	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4852	5080	00c3fda4ff09940ca177d13c0bb3f187.exe	105
PID 5080 wrote to memory of 4852	5080	00c3fda4ff09940ca177d13c0bb3f187.exe	105
PID 5080 wrote to memory of 4852	5080	00c3fda4ff09940ca177d13c0bb3f187.exe	105
PID 4348 wrote to memory of 3624	4348	sihost.exe	117
PID 4348 wrote to memory of 3624	4348	sihost.exe	117

C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe
"C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 896
  2⤵
  - Program crash
  PID:1128
- C:\ProgramData\pG21800AlLfC21800\pG21800AlLfC21800.exe
  "C:\ProgramData\pG21800AlLfC21800\pG21800AlLfC21800.exe" "C:\Users\Admin\AppData\Local\Temp\00c3fda4ff09940ca177d13c0bb3f187.exe"
  2⤵
  - Modifies security service
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 904
    3⤵
    - Program crash
    PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5080 -ip 5080
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4852 -ip 4852
1⤵
PID:4340

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4672

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1080

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3624

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2768

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3816

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2916

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3124

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:776

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2980

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2796

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
PID:2204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1436

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1884

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3840

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1656

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:404

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4200

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4992

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pG21800AlLfC21800\pG21800AlLfC21800.exe

Filesize
422KB

MD5
a7f43aa8c797a6ca5b937082cc09416f

SHA1
ad15840a364eb8c065924260beec2ec47e5a3618

SHA256
1f6f52539dd1735e2bcb48343649b92e0dc7e3dca14504b67cc4423da4badf87

SHA512
e27330dc5b316778fd9485ce0c70727c5643d0ebf1e227c6670100e7d65825b29d5f5e2fff0a6090cc9a44592a4c52837f95a57b9f8ec4f47b973d7b2f0b1768

Download Submit
memory/2204-35-0x00007FFD54C50000-0x00007FFD54C7E000-memory.dmp

Filesize
184KB

Download
memory/4852-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4852-27-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4852-34-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4852-36-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4852-37-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5080-0-0x0000000002260000-0x0000000002263000-memory.dmp

Filesize
12KB

Download
memory/5080-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5080-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/5080-19-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download