Analysis
-
max time kernel
107s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 20:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
65fdee7c97e9f6962e15dff9624446cc.exe
Resource
win7-20231215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
65fdee7c97e9f6962e15dff9624446cc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
65fdee7c97e9f6962e15dff9624446cc.exe
-
Size
407KB
-
MD5
65fdee7c97e9f6962e15dff9624446cc
-
SHA1
b3fb1a0e21bac4363b3f26deedcc3f75691a6b9e
-
SHA256
3286f4cb252c983d5874d3420a57a7f4d5fcd8aa2bfa8a367b4110d88dd246a5
-
SHA512
c1063651874fe2e69dcb7ff55d281a8944b02f33b29656adcc73eeacdee21dc1f5f1f9f87c1e54a2ded5a569965a64b857d004cde55a8579df6d4527679d7792
-
SSDEEP
12288:0dQemIdof/aZU36DTDPzplVfF4qWPAahGzE:0dXthTDdPfF4qWoai
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \\nJ31311HiPdF31311\\nJ31311HiPdF31311.exe" 65fdee7c97e9f6962e15dff9624446cc.exe -
Modifies Installed Components in the registry 2 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2896 nJ31311HiPdF31311.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 nJ31311HiPdF31311.exe -
resource yara_rule behavioral2/memory/792-1-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/792-81-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/792-93-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/2896-94-0x0000000000400000-0x00000000004CC000-memory.dmp upx behavioral2/memory/2896-177-0x0000000000400000-0x00000000004CC000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nJ31311HiPdF31311 = "C:\\nJ31311HiPdF31311\\nJ31311HiPdF31311.exe" nJ31311HiPdF31311.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4772 792 WerFault.exe 85 4136 2896 WerFault.exe 101 -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{07909C05-B9AF-4429-8CCA-A96B0663C063} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{49B5162C-1E3E-47BA-82E4-2E74D54D439F} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{65467CFF-C792-48A7-BA43-C6A0984EAB2F} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{BD30CCB5-9EF9-4675-82ED-5291DC04CCB5} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{254370E0-AD32-44BC-BBA7-31417BF24C7C} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{1F9581D7-5D8A-4221-920C-40B0E1AF475A} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{C290CE09-BE28-4299-AEC5-2A6A7D7F2FC0} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{C84536DD-44DF-4F35-BBB6-7011D1605280} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{EC1FADF8-17C0-4289-A088-CD7094EE236B} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{91AA7635-0892-49A6-8A76-4EB8854BCDC7} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{21BB9991-8C78-4DF3-ACD9-1E07C4CFAA93} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{93725A5B-EA72-4A10-8C41-8F7B3C86F72D} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3791175113-1062217823-1177695025-1000\{B13A0B94-9FAA-4FED-9AAB-F9B94BAC8F14} Process not Found Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe 792 65fdee7c97e9f6962e15dff9624446cc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 792 65fdee7c97e9f6962e15dff9624446cc.exe Token: SeDebugPrivilege 2896 nJ31311HiPdF31311.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 3620 explorer.exe Token: SeCreatePagefilePrivilege 3620 explorer.exe Token: SeShutdownPrivilege 2380 explorer.exe Token: SeCreatePagefilePrivilege 2380 explorer.exe Token: SeShutdownPrivilege 2380 explorer.exe Token: SeCreatePagefilePrivilege 2380 explorer.exe Token: SeShutdownPrivilege 2380 explorer.exe Token: SeCreatePagefilePrivilege 2380 explorer.exe Token: SeShutdownPrivilege 2380 explorer.exe Token: SeCreatePagefilePrivilege 2380 explorer.exe Token: SeShutdownPrivilege 3484 explorer.exe Token: SeCreatePagefilePrivilege 3484 explorer.exe Token: SeShutdownPrivilege 3484 explorer.exe Token: SeCreatePagefilePrivilege 3484 explorer.exe Token: SeShutdownPrivilege 3484 explorer.exe Token: SeCreatePagefilePrivilege 3484 explorer.exe Token: SeShutdownPrivilege 3484 explorer.exe Token: SeCreatePagefilePrivilege 3484 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeCreatePagefilePrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeCreatePagefilePrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeCreatePagefilePrivilege 1684 explorer.exe Token: SeShutdownPrivilege 1684 explorer.exe Token: SeCreatePagefilePrivilege 1684 explorer.exe Token: SeShutdownPrivilege 3024 explorer.exe Token: SeCreatePagefilePrivilege 3024 explorer.exe Token: SeShutdownPrivilege 3024 explorer.exe Token: SeCreatePagefilePrivilege 3024 explorer.exe Token: SeShutdownPrivilege 3024 explorer.exe Token: SeCreatePagefilePrivilege 3024 explorer.exe Token: SeShutdownPrivilege 3024 explorer.exe Token: SeCreatePagefilePrivilege 3024 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeCreatePagefilePrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeCreatePagefilePrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeCreatePagefilePrivilege 820 explorer.exe Token: SeShutdownPrivilege 820 explorer.exe Token: SeCreatePagefilePrivilege 820 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 3780 explorer.exe Token: SeCreatePagefilePrivilege 3780 explorer.exe Token: SeShutdownPrivilege 540 explorer.exe Token: SeCreatePagefilePrivilege 540 explorer.exe Token: SeShutdownPrivilege 540 explorer.exe Token: SeCreatePagefilePrivilege 540 explorer.exe Token: SeShutdownPrivilege 540 explorer.exe Token: SeCreatePagefilePrivilege 540 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 368 sihost.exe 4404 sihost.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 2896 nJ31311HiPdF31311.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 540 explorer.exe 540 explorer.exe 540 explorer.exe 540 explorer.exe 540 explorer.exe 540 explorer.exe 540 explorer.exe 4500 explorer.exe 4500 explorer.exe 4500 explorer.exe 4500 explorer.exe 4500 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 3620 explorer.exe 2896 nJ31311HiPdF31311.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 2380 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 3484 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 3024 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 820 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 3780 explorer.exe 540 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5016 OfficeClickToRun.exe 2140 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 792 wrote to memory of 2896 792 65fdee7c97e9f6962e15dff9624446cc.exe 101 PID 792 wrote to memory of 2896 792 65fdee7c97e9f6962e15dff9624446cc.exe 101 PID 792 wrote to memory of 2896 792 65fdee7c97e9f6962e15dff9624446cc.exe 101 PID 884 wrote to memory of 3620 884 sihost.exe 111 PID 884 wrote to memory of 3620 884 sihost.exe 111 PID 2836 wrote to memory of 4632 2836 sihost.exe 113 PID 2836 wrote to memory of 4632 2836 sihost.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\65fdee7c97e9f6962e15dff9624446cc.exe"C:\Users\Admin\AppData\Local\Temp\65fdee7c97e9f6962e15dff9624446cc.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 8402⤵
- Program crash
PID:4772
-
-
C:\nJ31311HiPdF31311\nJ31311HiPdF31311.exe"\nJ31311HiPdF31311\nJ31311HiPdF31311.exe" "C:\Users\Admin\AppData\Local\Temp\65fdee7c97e9f6962e15dff9624446cc.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 8403⤵
- Program crash
PID:4136
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 792 -ip 7921⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2896 -ip 28961⤵PID:4724
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:368
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5016
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of FindShellTrayWindow
PID:4404
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2140
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1100
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2176
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3620
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:4632
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:400
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:1836
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3484
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:820
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:540
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4500
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3048
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2044
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5048
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3404
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2580
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:332
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:2380
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:2480
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4972
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:532
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4872
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1032
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4500
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4896
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:880
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:396
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1644
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1724
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3620
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4776
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:4556
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3852
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:3680
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:1092
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:2488
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
PID:1656
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2864
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3316
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3548
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4920
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2740
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1352
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4504
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4384
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3724
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4440
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1936
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3132
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3568
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3788
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1828
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3884
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2648
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1760
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2720
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2348
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:528
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4448
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1436
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2812
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3724
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2264
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:800
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2708
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2716
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1528
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1500
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3252
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2864
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3460
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2388
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2140
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4348
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2568
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4664
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3716
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2144
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2264
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4268
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2392
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3768
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1264
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4992
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:432
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4356
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2040
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4324
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2740
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1644
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:3988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5876baadd1a2e3bf2df0a04bdf8889016
SHA1b6faa5d7b7aa9ff883212a0b0f0299de78986e21
SHA256eeefa8655037c8cc67638f6f8365f6665321774cb4cecf2c2d7a4533aea89cfe
SHA512044436d46444c262f63bf90c2968d8d3ef1ed61690b3b88ab0e632159d7d284dbd78e3519e2016b471a11b59baa9673a247d648b1c2721de42a4db0c6e92741d