description	ioc	Process
File created	C:\Windows\system32\O3KrzU\rdpshell.exe	cmd.exe
File opened for modification	C:\Windows\system32\O3KrzU\rdpshell.exe	cmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\9vb1jH.cmd"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\ms-settings\shell\open	Process not Found

pid	Process
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
4064	rundll32.exe
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found
3376	Process not Found

description	pid	Process
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found
Token: SeShutdownPrivilege	3376	Process not Found
Token: SeCreatePagefilePrivilege	3376	Process not Found

description	pid	Process	procid_target
PID 3376 wrote to memory of 1348	3376	Process not Found	92
PID 3376 wrote to memory of 1348	3376	Process not Found	92
PID 3376 wrote to memory of 2120	3376	Process not Found	93
PID 3376 wrote to memory of 2120	3376	Process not Found	93
PID 3376 wrote to memory of 3936	3376	Process not Found	95
PID 3376 wrote to memory of 3936	3376	Process not Found	95
PID 3376 wrote to memory of 1476	3376	Process not Found	96
PID 3376 wrote to memory of 1476	3376	Process not Found	96
PID 3376 wrote to memory of 1876	3376	Process not Found	98
PID 3376 wrote to memory of 1876	3376	Process not Found	98
PID 1876 wrote to memory of 1532	1876	fodhelper.exe	99
PID 1876 wrote to memory of 1532	1876	fodhelper.exe	99
PID 1532 wrote to memory of 1552	1532	cmd.exe	101
PID 1532 wrote to memory of 1552	1532	cmd.exe	101
PID 3376 wrote to memory of 3476	3376	Process not Found	105
PID 3376 wrote to memory of 3476	3376	Process not Found	105
PID 3476 wrote to memory of 3684	3476	cmd.exe	107
PID 3476 wrote to memory of 3684	3476	cmd.exe	107
PID 3376 wrote to memory of 3900	3376	Process not Found	109
PID 3376 wrote to memory of 3900	3376	Process not Found	109
PID 3900 wrote to memory of 4868	3900	cmd.exe	111
PID 3900 wrote to memory of 4868	3900	cmd.exe	111
PID 3376 wrote to memory of 3240	3376	Process not Found	112
PID 3376 wrote to memory of 3240	3376	Process not Found	112
PID 3240 wrote to memory of 4312	3240	cmd.exe	114
PID 3240 wrote to memory of 4312	3240	cmd.exe	114
PID 3376 wrote to memory of 4412	3376	Process not Found	122
PID 3376 wrote to memory of 4412	3376	Process not Found	122
PID 4412 wrote to memory of 4276	4412	cmd.exe	124
PID 4412 wrote to memory of 4276	4412	cmd.exe	124
PID 3376 wrote to memory of 4352	3376	Process not Found	125
PID 3376 wrote to memory of 4352	3376	Process not Found	125
PID 4352 wrote to memory of 4400	4352	cmd.exe	127
PID 4352 wrote to memory of 4400	4352	cmd.exe	127
PID 3376 wrote to memory of 364	3376	Process not Found	131
PID 3376 wrote to memory of 364	3376	Process not Found	131
PID 364 wrote to memory of 820	364	cmd.exe	133
PID 364 wrote to memory of 820	364	cmd.exe	133

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads