description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger = "C:\\Windows\\system32\\Systom.exe"	reg.exe

resource	yara_rule
behavioral2/memory/4596-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/4596-1-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/files/0x000200000001e7de-4.dat	upx
behavioral2/memory/4596-6-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/4596-11-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-13-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-14-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-34-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-37-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-38-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-43-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-44-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-47-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-48-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-49-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-63-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-64-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-65-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1268-67-0x0000000000400000-0x0000000000419000-memory.dmp	upx

description	ioc	Process
File opened (read-only)	\??\t:	Systom.exe
File opened (read-only)	\??\v:	Systom.exe
File opened (read-only)	\??\y:	Systom.exe
File opened (read-only)	\??\z:	Systom.exe
File opened (read-only)	\??\g:	Systom.exe
File opened (read-only)	\??\j:	Systom.exe
File opened (read-only)	\??\l:	Systom.exe
File opened (read-only)	\??\p:	Systom.exe
File opened (read-only)	\??\k:	Systom.exe
File opened (read-only)	\??\m:	Systom.exe
File opened (read-only)	\??\r:	Systom.exe
File opened (read-only)	\??\x:	Systom.exe
File opened (read-only)	\??\h:	Systom.exe
File opened (read-only)	\??\q:	Systom.exe
File opened (read-only)	\??\w:	Systom.exe
File opened (read-only)	\??\s:	Systom.exe
File opened (read-only)	\??\u:	Systom.exe
File opened (read-only)	\??\e:	Systom.exe
File opened (read-only)	\??\i:	Systom.exe
File opened (read-only)	\??\n:	Systom.exe
File opened (read-only)	\??\o:	Systom.exe

description	ioc	Process
File created	\??\f:\auToRun.inf	Systom.exe
File opened for modification	\??\f:\auToRun.inf	Systom.exe
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\auToRun.inf	Systom.exe
File opened for modification	C:\auToRun.inf	Systom.exe
File created	\??\c:\auToRun.inf	Systom.exe
File opened for modification	\??\c:\auToRun.inf	Systom.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Systom.exe	29aee1ebc452c57d9bfaee973ae89873.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	29aee1ebc452c57d9bfaee973ae89873.exe
File created	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe

description	ioc	Process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\ReceiveGroup.htm	Systom.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm	Systom.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office16\OSPP.HTM	Systom.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1787290936"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7CF70F93-C388-11D3-B6AE-4E55496B34AD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bcf341c06c2e84895111d87005f3dbe0000000002000000000010660000000100002000000010e4c588a7d3e38c76418b7d0da8d4ce351e5b7058075ecf82276eb3ac42e14b000000000e80000000020000200000003d1e4c32700219b7138d873135a9e3ea8de6c5ca806c1ef0ecbfa66a78d70ccd2000000034223e29be821054445674b0f8fe97c6ad8784fa497c4ace00e696cfe91ee1fc40000000e8d26f02c3638078416e3b54ce118fc0f8c709fa936cb7f90767b5551482fed57407ac119c5b8e2c43d680d0227dde97ca1733b1b29fc4184da0d92d08ec2f8a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06902589557bf01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bcf341c06c2e84895111d87005f3dbe00000000020000000000106600000001000020000000c466944f9475b034751f4d08b62263b197379243e403b96f58fb86fc4c5ba82e000000000e8000000002000020000000986ea2a78a4dd66d9ab43161a027794f696c80f6e91b8c968bce4e3a3bc3ad982000000075aab9310324d72645f835f3957bd03b981fbc93d4aeb2a093cafad46d47c9e7400000002b885524c90c4661dbc529d778691709ce4ce18aded2456fa85a87a4abce85fac7d56b5d50940ea6c48bfacdbb79b3874e9ea00e0c4956d355bceb2e3a1e9a39	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ca455a9557bf01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

pid	Process
2900	reg.exe
3600	reg.exe
4940	reg.exe
3464	reg.exe
4064	reg.exe
4616	reg.exe
1652	reg.exe
2088	reg.exe
3472	reg.exe

pid	Process
3936	iexplore.exe
3936	iexplore.exe
3164	IEXPLORE.EXE
3164	IEXPLORE.EXE
3164	IEXPLORE.EXE
3164	IEXPLORE.EXE

description	pid	Process	procid_target
PID 4596 wrote to memory of 1268	4596	29aee1ebc452c57d9bfaee973ae89873.exe	91
PID 4596 wrote to memory of 1268	4596	29aee1ebc452c57d9bfaee973ae89873.exe	91
PID 4596 wrote to memory of 1268	4596	29aee1ebc452c57d9bfaee973ae89873.exe	91
PID 4596 wrote to memory of 2756	4596	29aee1ebc452c57d9bfaee973ae89873.exe	95
PID 4596 wrote to memory of 2756	4596	29aee1ebc452c57d9bfaee973ae89873.exe	95
PID 4596 wrote to memory of 2756	4596	29aee1ebc452c57d9bfaee973ae89873.exe	95
PID 4596 wrote to memory of 3340	4596	29aee1ebc452c57d9bfaee973ae89873.exe	96
PID 4596 wrote to memory of 3340	4596	29aee1ebc452c57d9bfaee973ae89873.exe	96
PID 4596 wrote to memory of 3340	4596	29aee1ebc452c57d9bfaee973ae89873.exe	96
PID 1268 wrote to memory of 4616	1268	Systom.exe	100
PID 1268 wrote to memory of 4616	1268	Systom.exe	100
PID 1268 wrote to memory of 4616	1268	Systom.exe	100
PID 1268 wrote to memory of 952	1268	Systom.exe	164
PID 1268 wrote to memory of 952	1268	Systom.exe	164
PID 1268 wrote to memory of 952	1268	Systom.exe	164
PID 1268 wrote to memory of 4848	1268	Systom.exe	104
PID 1268 wrote to memory of 4848	1268	Systom.exe	104
PID 1268 wrote to memory of 4848	1268	Systom.exe	104
PID 1268 wrote to memory of 1652	1268	Systom.exe	106
PID 1268 wrote to memory of 1652	1268	Systom.exe	106
PID 1268 wrote to memory of 1652	1268	Systom.exe	106
PID 1268 wrote to memory of 3600	1268	Systom.exe	110
PID 1268 wrote to memory of 3600	1268	Systom.exe	110
PID 1268 wrote to memory of 3600	1268	Systom.exe	110
PID 1268 wrote to memory of 2900	1268	Systom.exe	108
PID 1268 wrote to memory of 2900	1268	Systom.exe	108
PID 1268 wrote to memory of 2900	1268	Systom.exe	108
PID 1268 wrote to memory of 3464	1268	Systom.exe	113
PID 1268 wrote to memory of 3464	1268	Systom.exe	113
PID 1268 wrote to memory of 3464	1268	Systom.exe	113
PID 1268 wrote to memory of 4940	1268	Systom.exe	180
PID 1268 wrote to memory of 4940	1268	Systom.exe	180
PID 1268 wrote to memory of 4940	1268	Systom.exe	180
PID 1268 wrote to memory of 2088	1268	Systom.exe	115
PID 1268 wrote to memory of 2088	1268	Systom.exe	115
PID 1268 wrote to memory of 2088	1268	Systom.exe	115
PID 1268 wrote to memory of 4064	1268	Systom.exe	118
PID 1268 wrote to memory of 4064	1268	Systom.exe	118
PID 1268 wrote to memory of 4064	1268	Systom.exe	118
PID 1268 wrote to memory of 3472	1268	Systom.exe	211

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.