description	ioc	Process
File created	C:\Windows\system32\4zWi\Netplwiz.exe	cmd.exe
File opened for modification	C:\Windows\system32\4zWi\Netplwiz.exe	cmd.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\7d0.cmd"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	Process not Found

pid	Process
4152	rundll32.exe
4152	rundll32.exe
4152	rundll32.exe
4152	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

description	pid	Process
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found
Token: SeShutdownPrivilege	3460	Process not Found
Token: SeCreatePagefilePrivilege	3460	Process not Found

description	pid	Process	procid_target
PID 3460 wrote to memory of 2348	3460	Process not Found	92
PID 3460 wrote to memory of 2348	3460	Process not Found	92
PID 3460 wrote to memory of 5080	3460	Process not Found	93
PID 3460 wrote to memory of 5080	3460	Process not Found	93
PID 3460 wrote to memory of 2888	3460	Process not Found	95
PID 3460 wrote to memory of 2888	3460	Process not Found	95
PID 3460 wrote to memory of 4244	3460	Process not Found	96
PID 3460 wrote to memory of 4244	3460	Process not Found	96
PID 3460 wrote to memory of 5112	3460	Process not Found	98
PID 3460 wrote to memory of 5112	3460	Process not Found	98
PID 5112 wrote to memory of 1672	5112	fodhelper.exe	99
PID 5112 wrote to memory of 1672	5112	fodhelper.exe	99
PID 1672 wrote to memory of 1548	1672	cmd.exe	101
PID 1672 wrote to memory of 1548	1672	cmd.exe	101
PID 3460 wrote to memory of 3632	3460	Process not Found	105
PID 3460 wrote to memory of 3632	3460	Process not Found	105
PID 3632 wrote to memory of 3764	3632	cmd.exe	107
PID 3632 wrote to memory of 3764	3632	cmd.exe	107
PID 3460 wrote to memory of 1716	3460	Process not Found	109
PID 3460 wrote to memory of 1716	3460	Process not Found	109
PID 1716 wrote to memory of 2892	1716	cmd.exe	111
PID 1716 wrote to memory of 2892	1716	cmd.exe	111
PID 3460 wrote to memory of 2284	3460	Process not Found	112
PID 3460 wrote to memory of 2284	3460	Process not Found	112
PID 2284 wrote to memory of 3608	2284	cmd.exe	114
PID 2284 wrote to memory of 3608	2284	cmd.exe	114
PID 3460 wrote to memory of 4156	3460	Process not Found	122
PID 3460 wrote to memory of 4156	3460	Process not Found	122
PID 4156 wrote to memory of 2376	4156	cmd.exe	124
PID 4156 wrote to memory of 2376	4156	cmd.exe	124
PID 3460 wrote to memory of 4920	3460	Process not Found	125
PID 3460 wrote to memory of 4920	3460	Process not Found	125
PID 4920 wrote to memory of 744	4920	cmd.exe	127
PID 4920 wrote to memory of 744	4920	cmd.exe	127
PID 3460 wrote to memory of 1420	3460	Process not Found	131
PID 3460 wrote to memory of 1420	3460	Process not Found	131

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads