description	ioc	Process
File opened for modification	C:\Windows\system32\Iyx1\wbengine.exe	cmd.exe
File created	C:\Windows\system32\Iyx1\wbengine.exe	cmd.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\OrMao4j.cmd"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command	Process not Found

pid	Process
4184	rundll32.exe
4184	rundll32.exe
4184	rundll32.exe
4184	rundll32.exe
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found

description	pid	Process
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found

description	pid	Process	procid_target
PID 3436 wrote to memory of 4764	3436	Process not Found	91
PID 3436 wrote to memory of 4764	3436	Process not Found	91
PID 3436 wrote to memory of 1112	3436	Process not Found	92
PID 3436 wrote to memory of 1112	3436	Process not Found	92
PID 3436 wrote to memory of 3408	3436	Process not Found	94
PID 3436 wrote to memory of 3408	3436	Process not Found	94
PID 3436 wrote to memory of 4700	3436	Process not Found	95
PID 3436 wrote to memory of 4700	3436	Process not Found	95
PID 3436 wrote to memory of 2296	3436	Process not Found	97
PID 3436 wrote to memory of 2296	3436	Process not Found	97
PID 2296 wrote to memory of 4920	2296	fodhelper.exe	98
PID 2296 wrote to memory of 4920	2296	fodhelper.exe	98
PID 4920 wrote to memory of 4964	4920	cmd.exe	100
PID 4920 wrote to memory of 4964	4920	cmd.exe	100
PID 3436 wrote to memory of 656	3436	Process not Found	103
PID 3436 wrote to memory of 656	3436	Process not Found	103
PID 656 wrote to memory of 1476	656	cmd.exe	105
PID 656 wrote to memory of 1476	656	cmd.exe	105
PID 3436 wrote to memory of 4692	3436	Process not Found	106
PID 3436 wrote to memory of 4692	3436	Process not Found	106
PID 4692 wrote to memory of 4132	4692	cmd.exe	108
PID 4692 wrote to memory of 4132	4692	cmd.exe	108
PID 3436 wrote to memory of 2728	3436	Process not Found	109
PID 3436 wrote to memory of 2728	3436	Process not Found	109
PID 2728 wrote to memory of 540	2728	cmd.exe	111
PID 2728 wrote to memory of 540	2728	cmd.exe	111
PID 3436 wrote to memory of 740	3436	Process not Found	112
PID 3436 wrote to memory of 740	3436	Process not Found	112
PID 740 wrote to memory of 2736	740	cmd.exe	114
PID 740 wrote to memory of 2736	740	cmd.exe	114
PID 3436 wrote to memory of 4628	3436	Process not Found	115
PID 3436 wrote to memory of 4628	3436	Process not Found	115
PID 4628 wrote to memory of 4836	4628	cmd.exe	117
PID 4628 wrote to memory of 4836	4628	cmd.exe	117
PID 3436 wrote to memory of 4964	3436	Process not Found	118
PID 3436 wrote to memory of 4964	3436	Process not Found	118
PID 4964 wrote to memory of 1968	4964	cmd.exe	120
PID 4964 wrote to memory of 1968	4964	cmd.exe	120

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads