071164ddf0c732062c9e265e0cbf2b17de101e77e7acbe75efedf2717716c723

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e1358a4329a1f89efcecfc906163e8b.exe
Size

422KB
MD5

0e1358a4329a1f89efcecfc906163e8b
SHA1

65fe81d71c3cd6010977addcf8d6c09936a4cf69
SHA256

071164ddf0c732062c9e265e0cbf2b17de101e77e7acbe75efedf2717716c723
SHA512

a1464e4943fb58ec96a61efba7bc4131709ae24771229e8c2830f275ba82693f05bc5576c2e11c847dcbeb2513d1748094a1cdfe6548eee9083124cbca837832
SSDEEP

6144:1fv08mJ7CuXCAPHQ/xjLqdjY4/ea2L/LcVx8Ny9uAJmEcZw9OAO5:1fd8SAfuLqdjqa2L4kU9uAkEcZyO

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\oD37001ImIlL37001\\oD37001ImIlL37001.exe"	0e1358a4329a1f89efcecfc906163e8b.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	oD37001ImIlL37001.exe

Modifies Installed Components in the registry 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
4788	oD37001ImIlL37001.exe

Executes dropped EXE 1 IoCs

pid	Process
4788	oD37001ImIlL37001.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/568-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/568-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/568-20-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4788-21-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4788-27-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4788-34-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4788-36-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4788-39-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oD37001ImIlL37001 = "C:\\ProgramData\\oD37001ImIlL37001\\oD37001ImIlL37001.exe"	oD37001ImIlL37001.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4588	568	WerFault.exe	88
4948	4788	WerFault.exe	108

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{BF49F081-97C5-4CFE-B47D-FB13B045A0C9}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{8F9326EE-BAC1-4CA4-9BFB-25F8CE7295F5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{E0383CF7-FD79-4A6D-9799-BE00655943CF}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{44887A5E-C9D5-41A3-93FD-D60FD4ADFFAA}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{A982991E-EB42-47DC-BED4-A34426E488AE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{8C3EF4FB-1D45-4E39-9ED4-1C7367B32986}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{731E242E-80C4-42BE-8FCE-26A58DD1FB20}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{62443E26-9A08-4F16-85E6-00A97C644BFC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{4CACC733-ABCF-400B-B1AF-98E5FE114FF4}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{2E25BB68-FB8E-4B14-826D-559177E10130}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{DF7FAA68-0BB9-4CC9-90D3-6B0E710C5C77}	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe
568	0e1358a4329a1f89efcecfc906163e8b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	0e1358a4329a1f89efcecfc906163e8b.exe
Token: SeDebugPrivilege	4788	oD37001ImIlL37001.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	4396	explorer.exe
Token: SeCreatePagefilePrivilege	4396	explorer.exe
Token: SeShutdownPrivilege	3960	explorer.exe
Token: SeCreatePagefilePrivilege	3960	explorer.exe
Token: SeShutdownPrivilege	3960	explorer.exe
Token: SeCreatePagefilePrivilege	3960	explorer.exe
Token: SeShutdownPrivilege	3960	explorer.exe
Token: SeCreatePagefilePrivilege	3960	explorer.exe
Token: SeShutdownPrivilege	3960	explorer.exe
Token: SeCreatePagefilePrivilege	3960	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	848	explorer.exe
Token: SeCreatePagefilePrivilege	848	explorer.exe
Token: SeShutdownPrivilege	5108	explorer.exe
Token: SeCreatePagefilePrivilege	5108	explorer.exe
Token: SeShutdownPrivilege	5108	explorer.exe
Token: SeCreatePagefilePrivilege	5108	explorer.exe
Token: SeShutdownPrivilege	5108	explorer.exe
Token: SeCreatePagefilePrivilege	5108	explorer.exe
Token: SeShutdownPrivilege	5108	explorer.exe
Token: SeCreatePagefilePrivilege	5108	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	5020	explorer.exe
Token: SeCreatePagefilePrivilege	5020	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeCreatePagefilePrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeCreatePagefilePrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeCreatePagefilePrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeCreatePagefilePrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2748	explorer.exe
Token: SeCreatePagefilePrivilege	2748	explorer.exe
Token: SeShutdownPrivilege	2748	explorer.exe
Token: SeCreatePagefilePrivilege	2748	explorer.exe
Token: SeShutdownPrivilege	2748	explorer.exe
Token: SeCreatePagefilePrivilege	2748	explorer.exe
Token: SeShutdownPrivilege	2748	explorer.exe
Token: SeCreatePagefilePrivilege	2748	explorer.exe
Token: SeShutdownPrivilege	4056	explorer.exe
Token: SeCreatePagefilePrivilege	4056	explorer.exe
Token: SeShutdownPrivilege	4056	explorer.exe
Token: SeCreatePagefilePrivilege	4056	explorer.exe
Token: SeShutdownPrivilege	4056	explorer.exe
Token: SeCreatePagefilePrivilege	4056	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5056	sihost.exe
3592	sihost.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
3800	sihost.exe
4396	explorer.exe
3516	sihost.exe
3960	explorer.exe
4788	oD37001ImIlL37001.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
4788	oD37001ImIlL37001.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	Process not Found
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe
4056	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4788	oD37001ImIlL37001.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
4788	oD37001ImIlL37001.exe
3960	explorer.exe
3960	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
848	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
5020	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
2748	explorer.exe
4056	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2828	OfficeClickToRun.exe
4788	oD37001ImIlL37001.exe
4788	oD37001ImIlL37001.exe
536	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 4788	568	0e1358a4329a1f89efcecfc906163e8b.exe	108
PID 568 wrote to memory of 4788	568	0e1358a4329a1f89efcecfc906163e8b.exe	108
PID 568 wrote to memory of 4788	568	0e1358a4329a1f89efcecfc906163e8b.exe	108
PID 3272 wrote to memory of 4396	3272	sihost.exe	120
PID 3272 wrote to memory of 4396	3272	sihost.exe	120

C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe
"C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 908
  2⤵
  - Program crash
  PID:4588
- C:\ProgramData\oD37001ImIlL37001\oD37001ImIlL37001.exe
  "C:\ProgramData\oD37001ImIlL37001\oD37001ImIlL37001.exe" "C:\Users\Admin\AppData\Local\Temp\0e1358a4329a1f89efcecfc906163e8b.exe"
  2⤵
  - Modifies security service
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 880
    3⤵
    - Program crash
    PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 568 -ip 568
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4788 -ip 4788
1⤵
PID:868

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:5056

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3592

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4652

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3516

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3960

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:848

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4056

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3748

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4916

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4232

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4852

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4480

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2280

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3972

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3472

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2012

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4184

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1604

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:64

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3196

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4684

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oD37001ImIlL37001\oD37001ImIlL37001.exe

Filesize
422KB

MD5
a95cdf4085f5be0f642fe610493c05e1

SHA1
e826321d4d192ffe6f4217e9700c88435a2dcadf

SHA256
87aedf7c176394ffe2c205c4b454d918cd51cba91a91ef96f7bb30a1ab69725f

SHA512
6ddee2ab9760d547376ffe73716ce2ae46e312e37f03e2fc0cea4fad57928db6d59f15d0f66907a7fa4c087975a15dba4cfbe92884494e115865b0f7997076d0

Download Submit
memory/568-0-0x00000000007A0000-0x00000000007A3000-memory.dmp

Filesize
12KB

Download
memory/568-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/568-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/568-20-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-27-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-34-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-36-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-39-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4788-40-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download