8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217

General

Target

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
Size

314KB
MD5

201c52f6219061d02e59bb11988e2950
SHA1

f6825d6dcd8dfbbac5ca186818b15d4fcb18d77f
SHA256

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217
SHA512

02f6b69c6aef542e7facb67cc2a99fdb7f69d57209e215b41770faa6a46bc7ae1020872d8aad8659ceac1525c7e7dc542be5320d0aa8d249881f9a2e6b79c66e
SSDEEP

6144:Eyyzjg3u0rMoSc97kro4DtNxOaK9dAOBhmNnMOD:EyyQ3u0rMclZ0nME

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp /__RUNOFIMAGEFILE__"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif	reg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid process

1476 8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

pid	process
1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe

description	pid	process	target process
PID 1476 wrote to memory of 1736	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1736	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1736	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1736	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1996	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1996	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1996	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1996	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 604	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 604	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 604	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 604	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1932	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1932	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1932	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1932	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1392	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1392	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1392	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1392	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 948	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 948	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 948	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 948	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1812	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1812	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1812	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1812	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1488	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1488	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1488	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1488	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1772	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1772	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1772	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1772	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1868	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1868	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1868	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1868	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1616	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1616	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1616	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1616	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1628	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1628	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1628	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1628	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1548	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1548	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1548	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1548	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1936	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1936	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1936	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 1936	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 288	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 288	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 288	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 288	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 2040	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 2040	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 2040	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe
PID 1476 wrote to memory of 2040	1476	8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe
"C:\Users\Admin\AppData\Local\Temp\8d8478081d8f0b2173d1af6564b7e469a6528babda0761e282e0a5f9715d7217.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1996

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:604

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:948

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:288

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:976

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:1768

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.pif" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.com" /v Debugger /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp /__RUNOFIMAGEFILE__" /f
2⤵
- Sets file execution options in registry
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-75-0x0000000000000000-mapping.dmp

Download
memory/288-69-0x0000000000000000-mapping.dmp

Download
memory/604-57-0x0000000000000000-mapping.dmp

Download
memory/948-60-0x0000000000000000-mapping.dmp

Download
memory/976-72-0x0000000000000000-mapping.dmp

Download
memory/1392-59-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1488-62-0x0000000000000000-mapping.dmp

Download
memory/1548-67-0x0000000000000000-mapping.dmp

Download
memory/1616-65-0x0000000000000000-mapping.dmp

Download
memory/1628-66-0x0000000000000000-mapping.dmp

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000000000000-mapping.dmp

Download
memory/1772-63-0x0000000000000000-mapping.dmp

Download
memory/1812-61-0x0000000000000000-mapping.dmp

Download
memory/1868-64-0x0000000000000000-mapping.dmp

Download
memory/1932-58-0x0000000000000000-mapping.dmp

Download
memory/1936-68-0x0000000000000000-mapping.dmp

Download
memory/1988-71-0x0000000000000000-mapping.dmp

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download
memory/2000-74-0x0000000000000000-mapping.dmp

Download
memory/2040-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing