Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 08:35
Static task
static1
Behavioral task
behavioral1
Sample
6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe
Resource
win10v2004-20220812-en
General
-
Target
6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe
-
Size
392KB
-
MD5
285d1fb99eccf1fe874503ad2335d880
-
SHA1
556c61cfc54710d6a1ff856b26927723e12850be
-
SHA256
6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
-
SHA512
afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01
-
SSDEEP
6144:mIt8huaw9mW5Vz85Qvzknnug+wfUYHLyMK2NGoWcaVgV98BKBpyAyVoeFYl/Zc9:nsazXrIL1v+Mmc1SKBpyS69
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\726211\\sysmn.exe\"" sysmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" sysmn.exe -
Executes dropped EXE 2 IoCs
pid Process 1500 sysmn.exe 1764 sysmn.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1700 attrib.exe 1384 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe -
Adds Run key to start application 2 TTPs 21 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Monitor = "\"C:\\ProgramData\\726211\\sysmn.exe\"" sysmn.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dadasd = "C:\\Users\\Admin\\AppData\\Roaming\\dasdsadasdf\\asdasdsad.exe.exe" REG.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run REG.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1004 set thread context of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1500 set thread context of 1764 1500 sysmn.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 20 IoCs
pid Process 1396 ping.exe 884 ping.exe 824 ping.exe 1748 ping.exe 1508 ping.exe 796 ping.exe 1820 ping.exe 1948 ping.exe 1084 ping.exe 1304 ping.exe 2008 ping.exe 1744 ping.exe 1616 ping.exe 1528 ping.exe 564 ping.exe 1740 ping.exe 908 ping.exe 1380 ping.exe 808 ping.exe 1996 ping.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1500 sysmn.exe 1500 sysmn.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1500 sysmn.exe 1500 sysmn.exe 1500 sysmn.exe 1500 sysmn.exe 1500 sysmn.exe 1500 sysmn.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1500 sysmn.exe 1500 sysmn.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1500 sysmn.exe 1500 sysmn.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1500 sysmn.exe 1500 sysmn.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 1500 sysmn.exe 1500 sysmn.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe Token: SeDebugPrivilege 1500 sysmn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1492 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 28 PID 1004 wrote to memory of 1380 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 29 PID 1004 wrote to memory of 1380 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 29 PID 1004 wrote to memory of 1380 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 29 PID 1004 wrote to memory of 1380 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 29 PID 1004 wrote to memory of 2008 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 32 PID 1004 wrote to memory of 2008 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 32 PID 1004 wrote to memory of 2008 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 32 PID 1004 wrote to memory of 2008 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 32 PID 1492 wrote to memory of 1500 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 34 PID 1492 wrote to memory of 1500 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 34 PID 1492 wrote to memory of 1500 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 34 PID 1492 wrote to memory of 1500 1492 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 34 PID 1004 wrote to memory of 808 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 35 PID 1004 wrote to memory of 808 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 35 PID 1004 wrote to memory of 808 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 35 PID 1004 wrote to memory of 808 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 35 PID 1004 wrote to memory of 1996 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 37 PID 1004 wrote to memory of 1996 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 37 PID 1004 wrote to memory of 1996 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 37 PID 1004 wrote to memory of 1996 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 37 PID 1004 wrote to memory of 1396 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 39 PID 1004 wrote to memory of 1396 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 39 PID 1004 wrote to memory of 1396 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 39 PID 1004 wrote to memory of 1396 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 39 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1764 1500 sysmn.exe 41 PID 1500 wrote to memory of 1748 1500 sysmn.exe 42 PID 1500 wrote to memory of 1748 1500 sysmn.exe 42 PID 1500 wrote to memory of 1748 1500 sysmn.exe 42 PID 1500 wrote to memory of 1748 1500 sysmn.exe 42 PID 1004 wrote to memory of 1508 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 44 PID 1004 wrote to memory of 1508 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 44 PID 1004 wrote to memory of 1508 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 44 PID 1004 wrote to memory of 1508 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 44 PID 1500 wrote to memory of 1744 1500 sysmn.exe 46 PID 1500 wrote to memory of 1744 1500 sysmn.exe 46 PID 1500 wrote to memory of 1744 1500 sysmn.exe 46 PID 1500 wrote to memory of 1744 1500 sysmn.exe 46 PID 1004 wrote to memory of 796 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 48 PID 1004 wrote to memory of 796 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 48 PID 1004 wrote to memory of 796 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 48 PID 1004 wrote to memory of 796 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 48 PID 1500 wrote to memory of 1616 1500 sysmn.exe 50 PID 1500 wrote to memory of 1616 1500 sysmn.exe 50 PID 1500 wrote to memory of 1616 1500 sysmn.exe 50 PID 1500 wrote to memory of 1616 1500 sysmn.exe 50 PID 1004 wrote to memory of 1820 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 52 PID 1004 wrote to memory of 1820 1004 6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe 52 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1384 attrib.exe 1700 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe"C:\Users\Admin\AppData\Local\Temp\6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe"C:\Users\Admin\AppData\Local\Temp\6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\ProgramData\726211\sysmn.exe"C:\ProgramData\726211\sysmn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\ProgramData\726211\sysmn.exe"C:\ProgramData\726211\sysmn.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1764
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1748
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1744
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1616
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:884
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1084
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1528
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:824
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1304
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:1740
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com4⤵
- Runs ping.exe
PID:908
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\ProgramData\726211\sysmn.exe4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1700
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:1032
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:480
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:1464
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:1224
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:592
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:1724
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:2012
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:108
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe4⤵
- Adds Run key to start application
PID:952
-
-
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1380
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:2008
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:808
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1996
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1396
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1508
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:796
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1820
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:1948
-
-
C:\Windows\SysWOW64\ping.exeC:\Windows\System32\ping.exe google.com2⤵
- Runs ping.exe
PID:564
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\6c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad.exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1384
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dadasd" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\dasdsadasdf\asdasdsad.exe.exe2⤵
- Adds Run key to start application
PID:1112
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD5285d1fb99eccf1fe874503ad2335d880
SHA1556c61cfc54710d6a1ff856b26927723e12850be
SHA2566c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
SHA512afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01
-
Filesize
392KB
MD5285d1fb99eccf1fe874503ad2335d880
SHA1556c61cfc54710d6a1ff856b26927723e12850be
SHA2566c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
SHA512afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01
-
Filesize
392KB
MD5285d1fb99eccf1fe874503ad2335d880
SHA1556c61cfc54710d6a1ff856b26927723e12850be
SHA2566c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
SHA512afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01
-
Filesize
392KB
MD5285d1fb99eccf1fe874503ad2335d880
SHA1556c61cfc54710d6a1ff856b26927723e12850be
SHA2566c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
SHA512afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01
-
Filesize
392KB
MD5285d1fb99eccf1fe874503ad2335d880
SHA1556c61cfc54710d6a1ff856b26927723e12850be
SHA2566c536f28f0231d093ffddac221345d76bc73f74ee54a0cfb83161ef9bd4fbaad
SHA512afff5f4672ce3bc4c46b0704d61e52ad56d468af453ad594f2748e0d801e80b3b52c20ce044fecefd6d1c0c69b2f2d572f07f10784aa5912655db575eefb2e01