description	ioc	Process
File created	C:\Windows\system32\QPYl\sethc.exe	cmd.exe
File opened for modification	C:\Windows\system32\QPYl\sethc.exe	cmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\VIL3ZE.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell\open	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\MSCFile	Process not Found

pid	Process
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

description	pid	Process	procid_target
PID 1208 wrote to memory of 3056	1208	Process not Found	30
PID 1208 wrote to memory of 3056	1208	Process not Found	30
PID 1208 wrote to memory of 3056	1208	Process not Found	30
PID 1208 wrote to memory of 2720	1208	Process not Found	31
PID 1208 wrote to memory of 2720	1208	Process not Found	31
PID 1208 wrote to memory of 2720	1208	Process not Found	31
PID 1208 wrote to memory of 2128	1208	Process not Found	33
PID 1208 wrote to memory of 2128	1208	Process not Found	33
PID 1208 wrote to memory of 2128	1208	Process not Found	33
PID 1208 wrote to memory of 1152	1208	Process not Found	34
PID 1208 wrote to memory of 1152	1208	Process not Found	34
PID 1208 wrote to memory of 1152	1208	Process not Found	34
PID 1208 wrote to memory of 2308	1208	Process not Found	36
PID 1208 wrote to memory of 2308	1208	Process not Found	36
PID 1208 wrote to memory of 2308	1208	Process not Found	36
PID 2308 wrote to memory of 2060	2308	eventvwr.exe	37
PID 2308 wrote to memory of 2060	2308	eventvwr.exe	37
PID 2308 wrote to memory of 2060	2308	eventvwr.exe	37
PID 2060 wrote to memory of 1580	2060	cmd.exe	39
PID 2060 wrote to memory of 1580	2060	cmd.exe	39
PID 2060 wrote to memory of 1580	2060	cmd.exe	39
PID 1208 wrote to memory of 2640	1208	Process not Found	40
PID 1208 wrote to memory of 2640	1208	Process not Found	40
PID 1208 wrote to memory of 2640	1208	Process not Found	40
PID 2640 wrote to memory of 2888	2640	cmd.exe	42
PID 2640 wrote to memory of 2888	2640	cmd.exe	42
PID 2640 wrote to memory of 2888	2640	cmd.exe	42
PID 1208 wrote to memory of 2492	1208	Process not Found	43
PID 1208 wrote to memory of 2492	1208	Process not Found	43
PID 1208 wrote to memory of 2492	1208	Process not Found	43
PID 2492 wrote to memory of 2032	2492	cmd.exe	45
PID 2492 wrote to memory of 2032	2492	cmd.exe	45
PID 2492 wrote to memory of 2032	2492	cmd.exe	45
PID 1208 wrote to memory of 2320	1208	Process not Found	46
PID 1208 wrote to memory of 2320	1208	Process not Found	46
PID 1208 wrote to memory of 2320	1208	Process not Found	46
PID 2320 wrote to memory of 2456	2320	cmd.exe	48
PID 2320 wrote to memory of 2456	2320	cmd.exe	48
PID 2320 wrote to memory of 2456	2320	cmd.exe	48
PID 1208 wrote to memory of 2436	1208	Process not Found	50
PID 1208 wrote to memory of 2436	1208	Process not Found	50
PID 1208 wrote to memory of 2436	1208	Process not Found	50
PID 2436 wrote to memory of 908	2436	cmd.exe	52
PID 2436 wrote to memory of 908	2436	cmd.exe	52
PID 2436 wrote to memory of 908	2436	cmd.exe	52
PID 1208 wrote to memory of 1380	1208	Process not Found	53
PID 1208 wrote to memory of 1380	1208	Process not Found	53
PID 1208 wrote to memory of 1380	1208	Process not Found	53
PID 1380 wrote to memory of 1776	1380	cmd.exe	55
PID 1380 wrote to memory of 1776	1380	cmd.exe	55
PID 1380 wrote to memory of 1776	1380	cmd.exe	55
PID 1208 wrote to memory of 3028	1208	Process not Found	56
PID 1208 wrote to memory of 3028	1208	Process not Found	56
PID 1208 wrote to memory of 3028	1208	Process not Found	56
PID 3028 wrote to memory of 2252	3028	cmd.exe	58
PID 3028 wrote to memory of 2252	3028	cmd.exe	58
PID 3028 wrote to memory of 2252	3028	cmd.exe	58

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads