Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 05:17
Behavioral task
behavioral1
Sample
29aee1ebc452c57d9bfaee973ae89873.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
29aee1ebc452c57d9bfaee973ae89873.exe
Resource
win10v2004-20231215-en
General
-
Target
29aee1ebc452c57d9bfaee973ae89873.exe
-
Size
27KB
-
MD5
29aee1ebc452c57d9bfaee973ae89873
-
SHA1
194151b20390a3a62032edc9de03f018817c060e
-
SHA256
69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c
-
SHA512
89a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d
-
SSDEEP
768:1GRc7leirgHx1GpQXypO0fsovdeMYxax:6icHrktTfsqsxA
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRuns.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe" conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "C:\\Windows\\system32\\Systom.exe" reg.exe -
Deletes itself 1 IoCs
pid Process 2908 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3056 Systom.exe -
Loads dropped DLL 2 IoCs
pid Process 3036 29aee1ebc452c57d9bfaee973ae89873.exe 3036 29aee1ebc452c57d9bfaee973ae89873.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3036-0-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/files/0x000a000000012233-2.dat upx behavioral1/memory/3036-3-0x0000000000220000-0x0000000000239000-memory.dmp upx behavioral1/memory/3056-12-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3036-26-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-46-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-317-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-581-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-643-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-680-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-689-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-692-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-693-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1069-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1344-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1367-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1390-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1413-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1436-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/3056-1459-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\Systom.exe" reg.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: Systom.exe File opened (read-only) \??\v: Systom.exe File opened (read-only) \??\w: Systom.exe File opened (read-only) \??\h: Systom.exe File opened (read-only) \??\l: Systom.exe File opened (read-only) \??\n: Systom.exe File opened (read-only) \??\p: Systom.exe File opened (read-only) \??\t: Systom.exe File opened (read-only) \??\u: Systom.exe File opened (read-only) \??\x: Systom.exe File opened (read-only) \??\z: Systom.exe File opened (read-only) \??\k: Systom.exe File opened (read-only) \??\m: Systom.exe File opened (read-only) \??\o: Systom.exe File opened (read-only) \??\y: Systom.exe File opened (read-only) \??\e: Systom.exe File opened (read-only) \??\j: Systom.exe File opened (read-only) \??\s: Systom.exe File opened (read-only) \??\g: Systom.exe File opened (read-only) \??\i: Systom.exe File opened (read-only) \??\r: Systom.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\auToRun.inf Systom.exe File created \??\f:\auToRun.inf Systom.exe File opened for modification \??\f:\auToRun.inf Systom.exe File opened for modification C:\Windows\SysWOW64\auToRun.inf Systom.exe File created C:\Windows\SysWOW64\auToRun.inf Systom.exe File created C:\auToRun.inf Systom.exe File opened for modification C:\auToRun.inf Systom.exe File created \??\c:\auToRun.inf Systom.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\auToRun.inf Systom.exe File created C:\Windows\SysWOW64\auToRun.inf Systom.exe File created C:\Windows\SysWOW64\Systom.exe 29aee1ebc452c57d9bfaee973ae89873.exe File opened for modification C:\Windows\SysWOW64\Systom.exe 29aee1ebc452c57d9bfaee973ae89873.exe File created C:\Windows\SysWOW64\Systom.exe Systom.exe File opened for modification C:\Windows\SysWOW64\Systom.exe Systom.exe -
Drops file in Program Files directory 43 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm Systom.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm Systom.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM Systom.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm Systom.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM Systom.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm Systom.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm Systom.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM Systom.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-7.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-15.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-4.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-15.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Shades of Blue.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-14.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-15.htm Systom.exe File opened for modification \??\c:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\501.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-2.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-13.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-7.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-3.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-9.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-18.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-17.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-1.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-11.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-15.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-7.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-19.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-12.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-15.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-1.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-13.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-14.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-18.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-15.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-19.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-19.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-14.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\405.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-9.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-6.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-16.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-12.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-10.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-13.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-3.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-2.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-1.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-2.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-5.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Shades of Blue.htm Systom.exe File opened for modification \??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-11.htm Systom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a924f45055964447945ab7d0e47c411100000000020000000000106600000001000020000000c5cda6e020a350b9b8a21e030fa571790b71b03e5dda6666c48b767e96ae0c41000000000e800000000200002000000047bfe0474354371d1b725665e66503b04e9b4cacd2bcc5505cf9ac85e40a7bf790000000fa52f4723ad4c0bff3b05c3224a8b02ad9176a1ddf4e7eadb048fc44df0a0011c3b4fa25ce2c2f4b807087211a7275bfebfe5a1e9387337167d0a4f89106364f1c5ae98865c10271fa9f2a04dbe4cebca9c8e2d1a5af31e86b9b4a80da6e192386285cc282c262604041fc8e20bba1dea294d1bbcaf138dcf7a6fdb2cf3ec79139c5dafd2385ef3c2d020a5171cac15840000000cff2983a8444dcf1a184775bf193c680b14a1cf6376c2ddd6c272c4635d231ecdbefca834635e308273edb3d4695a86bb452c0560191e3f78af1c8273a74f249 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06817419557bf01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a924f45055964447945ab7d0e47c4111000000000200000000001066000000010000200000006f5263a125bbde0815dc0897de9e90b0fb25b9f4294e5397aed0b06c9f6bccb4000000000e8000000002000020000000ae7f6793822ab8fa21f6b419550a1986418549ab7d918a7d4c4165399cfedb8720000000d260db4136af4a354f82686c732aebddca647a230420423bad3d42d90973ed7e400000003bab89f8d09f4f8c0cc50cb61d000219ee3c14c461fe54644c6440236a3ae960ac29d5ed1343cc91db4b9a9ccbad0affafc98137a066f3e933c22f95d18038b2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1786687803" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 2596 reg.exe 2844 reg.exe 2772 reg.exe 2724 reg.exe 2312 reg.exe 2816 reg.exe 2832 reg.exe 2732 reg.exe 2992 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3056 Systom.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSystemtimePrivilege 3056 Systom.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2396 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2396 iexplore.exe 2396 iexplore.exe 1376 IEXPLORE.EXE 1376 IEXPLORE.EXE 1376 IEXPLORE.EXE 1376 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 3056 3036 29aee1ebc452c57d9bfaee973ae89873.exe 28 PID 3036 wrote to memory of 3056 3036 29aee1ebc452c57d9bfaee973ae89873.exe 28 PID 3036 wrote to memory of 3056 3036 29aee1ebc452c57d9bfaee973ae89873.exe 28 PID 3036 wrote to memory of 3056 3036 29aee1ebc452c57d9bfaee973ae89873.exe 28 PID 3056 wrote to memory of 2312 3056 Systom.exe 29 PID 3056 wrote to memory of 2312 3056 Systom.exe 29 PID 3056 wrote to memory of 2312 3056 Systom.exe 29 PID 3056 wrote to memory of 2312 3056 Systom.exe 29 PID 3056 wrote to memory of 2152 3056 Systom.exe 31 PID 3056 wrote to memory of 2152 3056 Systom.exe 31 PID 3056 wrote to memory of 2152 3056 Systom.exe 31 PID 3056 wrote to memory of 2152 3056 Systom.exe 31 PID 3056 wrote to memory of 2700 3056 Systom.exe 162 PID 3056 wrote to memory of 2700 3056 Systom.exe 162 PID 3056 wrote to memory of 2700 3056 Systom.exe 162 PID 3056 wrote to memory of 2700 3056 Systom.exe 162 PID 3056 wrote to memory of 2816 3056 Systom.exe 164 PID 3056 wrote to memory of 2816 3056 Systom.exe 164 PID 3056 wrote to memory of 2816 3056 Systom.exe 164 PID 3056 wrote to memory of 2816 3056 Systom.exe 164 PID 3056 wrote to memory of 2724 3056 Systom.exe 169 PID 3056 wrote to memory of 2724 3056 Systom.exe 169 PID 3056 wrote to memory of 2724 3056 Systom.exe 169 PID 3056 wrote to memory of 2724 3056 Systom.exe 169 PID 3056 wrote to memory of 2992 3056 Systom.exe 165 PID 3056 wrote to memory of 2992 3056 Systom.exe 165 PID 3056 wrote to memory of 2992 3056 Systom.exe 165 PID 3056 wrote to memory of 2992 3056 Systom.exe 165 PID 3056 wrote to memory of 2732 3056 Systom.exe 39 PID 3056 wrote to memory of 2732 3056 Systom.exe 39 PID 3056 wrote to memory of 2732 3056 Systom.exe 39 PID 3056 wrote to memory of 2732 3056 Systom.exe 39 PID 3056 wrote to memory of 2832 3056 Systom.exe 37 PID 3056 wrote to memory of 2832 3056 Systom.exe 37 PID 3056 wrote to memory of 2832 3056 Systom.exe 37 PID 3056 wrote to memory of 2832 3056 Systom.exe 37 PID 3056 wrote to memory of 2596 3056 Systom.exe 41 PID 3056 wrote to memory of 2596 3056 Systom.exe 41 PID 3056 wrote to memory of 2596 3056 Systom.exe 41 PID 3056 wrote to memory of 2596 3056 Systom.exe 41 PID 3056 wrote to memory of 2772 3056 Systom.exe 46 PID 3056 wrote to memory of 2772 3056 Systom.exe 46 PID 3056 wrote to memory of 2772 3056 Systom.exe 46 PID 3056 wrote to memory of 2772 3056 Systom.exe 46 PID 3056 wrote to memory of 2844 3056 Systom.exe 43 PID 3056 wrote to memory of 2844 3056 Systom.exe 43 PID 3056 wrote to memory of 2844 3056 Systom.exe 43 PID 3056 wrote to memory of 2844 3056 Systom.exe 43 PID 3056 wrote to memory of 2056 3056 Systom.exe 54 PID 3056 wrote to memory of 2056 3056 Systom.exe 54 PID 3056 wrote to memory of 2056 3056 Systom.exe 54 PID 3056 wrote to memory of 2056 3056 Systom.exe 54 PID 3056 wrote to memory of 2052 3056 Systom.exe 180 PID 3056 wrote to memory of 2052 3056 Systom.exe 180 PID 3056 wrote to memory of 2052 3056 Systom.exe 180 PID 3056 wrote to memory of 2052 3056 Systom.exe 180 PID 3056 wrote to memory of 1200 3056 Systom.exe 55 PID 3056 wrote to memory of 1200 3056 Systom.exe 55 PID 3056 wrote to memory of 1200 3056 Systom.exe 55 PID 3056 wrote to memory of 1200 3056 Systom.exe 55 PID 3056 wrote to memory of 1480 3056 Systom.exe 56 PID 3056 wrote to memory of 1480 3056 Systom.exe 56 PID 3056 wrote to memory of 1480 3056 Systom.exe 56 PID 3056 wrote to memory of 1480 3056 Systom.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe"C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Systom.exeC:\Windows\system32\Systom.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Adds Run key to start application
- Modifies registry key
PID:2312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f3⤵PID:2152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_dword /d 00000001 /f3⤵PID:2700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 0 /f3⤵
- Modifies registry key
PID:2816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f3⤵
- Modifies registry key
PID:2832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_dword /d 00000002 /f3⤵
- Modifies registry key
PID:2732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f3⤵
- Modifies registry key
PID:2596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f3⤵
- Modifies registry key
PID:2844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f3⤵
- Modifies registry key
PID:2772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v Text /t REG_SZ /d ÏÔʾËùÓÐÎļþºÍÎļþ¼Ð /f3⤵
- Modifies registry key
PID:2992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /f3⤵
- Modifies registry key
PID:2724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1200
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRuns.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:944
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2484
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1196
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:3048
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:3012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1184
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:780
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1244
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2112
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:3052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2856
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:3028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:3004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2740
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:3064
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2052
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1208
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:240
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2752
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2912
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2512
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1084
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:3016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:600
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:788
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2132
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:2340
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2364
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:988
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:2372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵PID:908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.1390578.cn/tj.asp3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1376
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F3⤵
- Sets file execution options in registry
PID:1628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:2612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2056
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:2588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:1684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1496
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:660
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2316
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2428
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1492
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1724
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:3036
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1700
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2124
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2172
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:1956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1540
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2356
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:3024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:772
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1108
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:1176
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2976
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1996
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2924
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:1756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2760
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f3⤵
- Modifies Internet Explorer settings
PID:2088
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f3⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat2⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat""2⤵
- Deletes itself
PID:2908
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16056037441240331933-2066230749624298003171305080655816849773294420349469388"1⤵PID:1656
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-181362951-19072142232024748048814361043783913293235264944-615845393469586995"1⤵
- Sets file execution options in registry
PID:2484
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1061631238-655928536197065809421069384001101640930-1185731885537052311-736693079"1⤵
- Sets file execution options in registry
PID:1196
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1923967310-20355602891264898065-193264912-114898951619443122601132513975132553088"1⤵
- Sets file execution options in registry
PID:2356
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-387273155520954163-1964403031-8262355702142066477-50081556414687370522011800364"1⤵PID:1112
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1321833862-75171792189726044913569095341423681822-43456693575480817388421514"1⤵
- Sets file execution options in registry
PID:876
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-737062511985333286-17229425843988950911647247421-10938406541295123912412048214"1⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD510e98a4f1543c94caaa5f477ad6a211a
SHA1c61e27e7c45c3fa20dbc063a42c034ca4fd5ab1d
SHA25671cdd4369d742720152269617f47d9788fce13901034787262bdcc3762fb15c4
SHA5124279d237fd5fd5c07885eb39bf53e7cf0f279b78a1f784ac4ff602bfa94e73ab68a29bd5e478a29a6842c01f66ac52b13fa4d8ff9b477d3af0a03f8c18ef5b2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b02753f7abb4a6be35aa599e5390a4b6
SHA14b613d504c0e8b6a6f0cdb5d4ae79df89eb09763
SHA2565f451c0e9fe86870a31166bb4f0d418602f84e85d8e6fe4b0fdc61dab66d8873
SHA512ef64ec3ffa9cfd6db40b3afbaf0dfd05cd11d94924c4970ef41a019d62d21dc7502c19c6a3147eb49a14173b1cca72d115f08bfb4c2809d5eed5f2a2abde1b1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56a80448b7dcf2eb420945a44e57fec29
SHA1f570ab7946e2024c1dac1af9453aaff4e5030fec
SHA256855bd3ca5d2800f25f05eff69763ae727e3d2c2280d44683c0e50427d4e6e02c
SHA5121afbab67ffaf6d2d1dbdc7b9e240a35641ce02ccafcedf1ac86486852c71c8a236afceab9dd8b851bca925779fe31bf90082f78981421a322caac6d6626e6320
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD558381a7dd0bd6df51f211824972bbaff
SHA1d8a38238ac67aed0c67728a820c678ba5f58b7b3
SHA256ce3d5d3cfc57d9f7704765853849e2bf6ceb7acd71f9c4b50b307f650ea6d0ce
SHA5126cfeb84e15a19966bb6346557943dc7f064f7744d2ecd5fef0995010468a0be3014768762f8e8e02a53a273da88e3d141d6c4381ead0776e8bd805f5079f51d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5acb7c86bcdbf63e707273ff7c65b6342
SHA1284cfa86c95a3650536594a4f9d65360dc274832
SHA25650d47eff66a3c7b97905dabba3398e3b3fdc8b273a150f33d4d7bd92183afc85
SHA5129132652b1e2c928151245ac9ff3fac941970e3cdd8c0517b35bb15516779ba256879326ff1e34c7894757880b70ff5cd3b764b5696ac102ee4ab8bfeadb4c777
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5414692f1c72e791e57b39855ea411a0e
SHA1137515c015b30a62f9f907054ea659e9a25ada5f
SHA256f118b4b3e148d4fd2d2b13e5b6d75ecf377db2378ce801f3574043b19a041d59
SHA5121f749e981bce11078764980789124230d667adf70e5f0ff16da3868fc5da78f57c07ac6c2a2404bbc5e2c1176b5037aee5b5508adf50574d4fca138369f30c52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD587a2d0843d0e8c753b9599bfd0f26380
SHA13222ca51412a702e356ccaba31745824c1fdd8fa
SHA256bec4ef79bd99215f79d55269ba6d6c839876cc79b8e5800d0d19f8df7938074a
SHA51280c8558f732da69dcfce1dc0dcfa228f5bc6cccbe2c5b3129f93975624ee405289d3317e598147732252cf36b1e38d86efd6e7aa4849cb2826cd3500801f24c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe54542f9e85b2a59367f893841ec25b
SHA14d7d32ac3021ed7210a2f5d4229877b6b1b4c183
SHA2567f021c5bf1f09d145db838a2b743940677d1b6d306791a53d4a48bdf6ea8c3fc
SHA5122d4a80bec67b131002dbb6855c00c1ba64881117de47b32b34a885dcbbf8ae40736038cc30121f04a4021f2076288e732f552fc8c42a5b42d37f804b55db3462
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5150348e053cdb568adec6351a7aac311
SHA1ae06c0ea1106f7ed1ff8eed6fbdcf55170bd3599
SHA256ef08dba7d8d60781884dcc754eb6724f93fe2a9d6d5aae37696cfcb981339f47
SHA512bc8f8060c4ba00a5613b8056681339fc208c248804a9dc2c177cb1c0a3a01c354b791065f3addde217c554b863438bc98a3604a161c479cc86b0ede0e33ef311
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba28f7bd069f8c83d78c044d46c3c638
SHA18ac5dd82be1465bcd53f90669770043567cf63cf
SHA256b4a97bba15d1ee5b80d12227ddfec8d24a4a1a5dda27464e7cce35ba45b3aaa3
SHA512366bf5a1eda9cc0020175ff61a86a85acccda2658c81d97d67c96ea8960d7d5d54ec6046a8bbf31884a2d544fb77599f6dbe82154797f4cd1c4a8d0bd7cf8935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a69e608a906e70c41e1d0e7b80df6917
SHA1f819c7bf3182fa1c1725fbf64a318f0ea0230056
SHA256dc0081721b76b2258255b4d44b80380189e0c007deeff7c3e021872421dd5a82
SHA51211c77af41e5a34d02ca7d824cc752d84a412416c53cb086745ec2ec9c38e161567e1e7ec8210141ced982b5ab34559191f01cb228b2e0322292c953d958e520b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD559cbd57a377e763d73bfe3c7a849d6fc
SHA11d3e2fd0c35c125225192aa3d288883ecfd31875
SHA2567cc5fe56c3f380fe791892248866e49e4ed1f3e38e46e013362f149e5a82dfd4
SHA512e33cca778f7d458111bc6fdfe4b4fc5d8995d6db007461f7c63cbc4b4c863c50ec14f7c2546f4f4684e70d194a3e8feba4fd88ace60c339c63e30e3ea9795b50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD519538e7a6dfc26a540a210510ae7bead
SHA1513cb4e7821695985ba9a691c91ba6d0239ebed3
SHA25662cef6b9a31e0a56dd65180e5476b107b6808f4e4c4c3568ae2b68b1ca47f495
SHA51204b71b9d2e65261bbb28a6aef6a520c8b74b2e911d8217a80765970ba3a1d15ec689ac22f489e5d76dad19b6b6907c86a5bd1f39a0a9ce9e3f9bc76c425c7df1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c2cc2b84e2f27de2e55414774e57ea12
SHA1f1263de93a4fb8989b2e9f511e027ca80e59aad6
SHA256f516ef010ddd385d7e6041c7f9079ee292a7a251ae651b44a6f468b32f95ef21
SHA512101ecb717fcf678df2468834e5e10de574c7b67c666dd2040d706fd49edb562d98194adb61e09cb5fdf912fc33c7b2a335386f11d249169588dce9e796207ff4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d845576ef61f84c905fd157f37e7eac7
SHA198f5dede0d5717748dcace62a3b27c556566d31d
SHA2565ce9df0abb420835c4a0e17fe99c08aa5df19fa7b993b540b0a9c870063b2e6c
SHA512a0a02458619d4859625fd487f555bfea068d85171ae8fecbb084ea5050fc936bd46d1319245ce88a317758140d55eb1d949606538f3d7195cdfeaa363bd498b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cf51b933f346e8a9890744d793cee72d
SHA1542ef41868a9c482a932305da37cd39e5bc5cf99
SHA256464b769922f6db149d0f3d57f79269f9f2a2ec04e971db680770d54304290040
SHA512bef64e120554c2181056c06b21e1c4e211cc2e8c17c7779c266641c89044d191ab12bf8102023625fed8068d4bc4327fe5bf56dfe349a0780f84de019898e0b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cf382fad493bbe6794f692785850a297
SHA1d17d68f2d1773a2985f5f4f58979992d5fc7ed62
SHA25698ea8f91d712df4b5ed6786b000e84f2a89d89d4949c488771caf3712ad68045
SHA5128ff4c2b223667429e7b5de12bce25a4f5760dc42669a03bdd69af9933ac31a8a8fbf45f65a1d9f726f44f167e691b1a40566f2ab123755b49de6c059f811ff45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53dbe8decd21a0f93dc9f934fcb45119c
SHA1b612fca15ba5fd385ee2a0f5ae834510f712f846
SHA256221988ca050c95d822cfac9d9df3c80dc862fb6f2c94526ef010ebb8614438fb
SHA512316b9f46be3d65c6767d7e55a8d04b009ba6cc6092ea7f3ddee4425d027d9d5099bd1df549bd4d3285f15f8a629ac106ad00dfc9e9a259207c751e61fd774bff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5aca97e099dfbdc2f552328a514319287
SHA11915a8ceac9b5c39b5c4a4dbd7b43da3b543b8db
SHA256b76d67ff5fcab5c614c23ad1f03bf69d8e975d5cd5e796b07d565314160b7d4e
SHA51244d3768a3b8dd260a04e53a3e84166847d73cefdda6541f875f8807b06f29c9f8926430b7de12c5f36e82613164c6b1d8f9a1b5c20a6a281c0b75e9eb80a80a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51fc106667e261d484eb799484672c7b3
SHA1a5243d245aa2232f2715050ec8a76fb641628c51
SHA2562c6fa81c88907c48325a75198a565899a9e0664533c043b174802680f0bc3dcf
SHA512c0a83d00e8c9acab9191afdd07332b3e5d72a0abd050ec971487cafbd2b3cd107f01b99ee15ebb328dd6ea334b2b9e815234329763f21104046b1bb525008944
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5edff90dd2ed72b0283aacf6c16b95414
SHA1b07b4bd867355f6643ea9697309189337e8766df
SHA256cba5bc253e4f5d38e6e91e9b7c4f38df8d1680c0abb6d99a98d44e01cc4a217a
SHA5120aa71df721f98386787292f85a9bbfbe8ca921b0c4a6e7cb0f1d63a3fd850d49b1215baba6dee07d47f9c193086faf8db7f90dad9998b66fe4508c263f8bcd7f
-
Filesize
184B
MD571d35bc5913c09e9eb6a11d9f29e65d8
SHA17055487dafa72344122e6fa156b214c919a111cd
SHA256099774f0f772cb4f0b476acd7683dbe1d39fa91f1c65a98604bc88ad1f576eb9
SHA5122e12fc58e7b867a00f1cf11c391a3ea49ad49a927e043e344f6e5087f07bd3ffc6aa2de447bc47858ef9af90b5943341e8846f423ab5b21937829c8c52304bf8
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
156B
MD5a1d4181824dc5e8ecec8369fa67864e4
SHA1e1ec2b149df84a6b73d6e51fb696c79cac9fc4e6
SHA256f6d56418c59ba518590b873917ec7fda9b7555b75161fc017e04d889dcfff9a5
SHA512e36a3c5341fed3714d3dcd1c48faf24dc4207809d246b21f9988c655acf63cb6dc5a0d6888be8303af90905087d798c264f936cbcd39019897ccc26c9ee4c07f
-
Filesize
27KB
MD529aee1ebc452c57d9bfaee973ae89873
SHA1194151b20390a3a62032edc9de03f018817c060e
SHA25669d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c
SHA51289a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d