description	ioc	Process
File created	C:\Windows\system32\lOapy\printfilterpipelinesvc.exe	cmd.exe
File opened for modification	C:\Windows\system32\lOapy\printfilterpipelinesvc.exe	cmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\bEJFiSb.cmd"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\ms-settings\shell\open	Process not Found

pid	Process
4512	rundll32.exe
4512	rundll32.exe
4512	rundll32.exe
4512	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

description	pid	Process
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

description	pid	Process	procid_target
PID 3468 wrote to memory of 1600	3468	Process not Found	81
PID 3468 wrote to memory of 1600	3468	Process not Found	81
PID 3468 wrote to memory of 5036	3468	Process not Found	82
PID 3468 wrote to memory of 5036	3468	Process not Found	82
PID 3468 wrote to memory of 3284	3468	Process not Found	84
PID 3468 wrote to memory of 3284	3468	Process not Found	84
PID 3468 wrote to memory of 1052	3468	Process not Found	85
PID 3468 wrote to memory of 1052	3468	Process not Found	85
PID 3468 wrote to memory of 2096	3468	Process not Found	87
PID 3468 wrote to memory of 2096	3468	Process not Found	87
PID 2096 wrote to memory of 4312	2096	fodhelper.exe	88
PID 2096 wrote to memory of 4312	2096	fodhelper.exe	88
PID 4312 wrote to memory of 2324	4312	cmd.exe	90
PID 4312 wrote to memory of 2324	4312	cmd.exe	90
PID 3468 wrote to memory of 1944	3468	Process not Found	91
PID 3468 wrote to memory of 1944	3468	Process not Found	91
PID 1944 wrote to memory of 2504	1944	cmd.exe	93
PID 1944 wrote to memory of 2504	1944	cmd.exe	93
PID 3468 wrote to memory of 2480	3468	Process not Found	94
PID 3468 wrote to memory of 2480	3468	Process not Found	94
PID 2480 wrote to memory of 4224	2480	cmd.exe	96
PID 2480 wrote to memory of 4224	2480	cmd.exe	96
PID 3468 wrote to memory of 3608	3468	Process not Found	97
PID 3468 wrote to memory of 3608	3468	Process not Found	97
PID 3608 wrote to memory of 4612	3608	cmd.exe	99
PID 3608 wrote to memory of 4612	3608	cmd.exe	99
PID 3468 wrote to memory of 2948	3468	Process not Found	100
PID 3468 wrote to memory of 2948	3468	Process not Found	100
PID 2948 wrote to memory of 1932	2948	cmd.exe	102
PID 2948 wrote to memory of 1932	2948	cmd.exe	102
PID 3468 wrote to memory of 3728	3468	Process not Found	103
PID 3468 wrote to memory of 3728	3468	Process not Found	103
PID 3728 wrote to memory of 1872	3728	cmd.exe	105
PID 3728 wrote to memory of 1872	3728	cmd.exe	105
PID 3468 wrote to memory of 4464	3468	Process not Found	106
PID 3468 wrote to memory of 4464	3468	Process not Found	106
PID 4464 wrote to memory of 1100	4464	cmd.exe	108
PID 4464 wrote to memory of 1100	4464	cmd.exe	108

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads