Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 13:46
Static task
static1
Behavioral task
behavioral1
Sample
a94f8fd4c23a4a4ad1f94d78dfd186f2.exe
Resource
win7-20240221-en
General
-
Target
a94f8fd4c23a4a4ad1f94d78dfd186f2.exe
-
Size
193KB
-
MD5
a94f8fd4c23a4a4ad1f94d78dfd186f2
-
SHA1
d6a0c5c4f7ffdbbc9a5664ce33b6199ac245674a
-
SHA256
3bee0e38f8d9c624a72228396603d782c864e71b3118d5c89b440d62c1e908ff
-
SHA512
c96b98946c1a7947e5a60bbc2819debfd4d1a070104030ce17f5d9b5d42f7feccb90c6d7a7bfd62ddc974ef91d8a71335dc68b208cb313920bbb4d371254010a
-
SSDEEP
3072:ks9KL2cTu/9QvFaWA8pDhDIYG7BswwubXW3pCFUKH5cDKCMvW2PrRh4xeqLsSzjM:jKacK/WaV8pyYG7CyCCPHPrX4xeqLp4
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4512-282-0x0000000000400000-0x00000000004B2000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 22 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
Processes:
Tilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.compid process 2148 Tilesys.com 2708 Tilesys.com 3656 Tilesys.com 4208 Tilesys.com 2932 Tilesys.com 1292 Tilesys.com 1176 Tilesys.com 1364 Tilesys.com 3952 Tilesys.com 1796 Tilesys.com -
Drops file in System32 directory 22 IoCs
Processes:
Tilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.coma94f8fd4c23a4a4ad1f94d78dfd186f2.exeTilesys.comdescription ioc process File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com a94f8fd4c23a4a4ad1f94d78dfd186f2.exe File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com a94f8fd4c23a4a4ad1f94d78dfd186f2.exe File opened for modification C:\Windows\SysWOW64\Tilesys.com Tilesys.com File created C:\Windows\SysWOW64\Tilesys.com Tilesys.com -
Modifies registry class 33 IoCs
Processes:
Tilesys.coma94f8fd4c23a4a4ad1f94d78dfd186f2.exeTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comTilesys.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" Tilesys.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ Tilesys.com -
Runs .reg file with regedit 11 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 636 regedit.exe 4616 regedit.exe 1984 regedit.exe 4988 regedit.exe 4340 regedit.exe 992 regedit.exe 4536 regedit.exe 1476 regedit.exe 4768 regedit.exe 3080 regedit.exe 2916 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a94f8fd4c23a4a4ad1f94d78dfd186f2.execmd.exeTilesys.comcmd.exeTilesys.comcmd.exeTilesys.comcmd.exeTilesys.comcmd.exeTilesys.comcmd.exeTilesys.comcmd.exeTilesys.comdescription pid process target process PID 4512 wrote to memory of 116 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe cmd.exe PID 4512 wrote to memory of 116 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe cmd.exe PID 4512 wrote to memory of 116 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe cmd.exe PID 116 wrote to memory of 2916 116 cmd.exe regedit.exe PID 116 wrote to memory of 2916 116 cmd.exe regedit.exe PID 116 wrote to memory of 2916 116 cmd.exe regedit.exe PID 4512 wrote to memory of 2148 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Tilesys.com PID 4512 wrote to memory of 2148 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Tilesys.com PID 4512 wrote to memory of 2148 4512 a94f8fd4c23a4a4ad1f94d78dfd186f2.exe Tilesys.com PID 2148 wrote to memory of 1836 2148 Tilesys.com cmd.exe PID 2148 wrote to memory of 1836 2148 Tilesys.com cmd.exe PID 2148 wrote to memory of 1836 2148 Tilesys.com cmd.exe PID 1836 wrote to memory of 4340 1836 cmd.exe regedit.exe PID 1836 wrote to memory of 4340 1836 cmd.exe regedit.exe PID 1836 wrote to memory of 4340 1836 cmd.exe regedit.exe PID 2148 wrote to memory of 2708 2148 Tilesys.com Tilesys.com PID 2148 wrote to memory of 2708 2148 Tilesys.com Tilesys.com PID 2148 wrote to memory of 2708 2148 Tilesys.com Tilesys.com PID 2708 wrote to memory of 3360 2708 Tilesys.com cmd.exe PID 2708 wrote to memory of 3360 2708 Tilesys.com cmd.exe PID 2708 wrote to memory of 3360 2708 Tilesys.com cmd.exe PID 3360 wrote to memory of 4988 3360 cmd.exe regedit.exe PID 3360 wrote to memory of 4988 3360 cmd.exe regedit.exe PID 3360 wrote to memory of 4988 3360 cmd.exe regedit.exe PID 2708 wrote to memory of 3656 2708 Tilesys.com Tilesys.com PID 2708 wrote to memory of 3656 2708 Tilesys.com Tilesys.com PID 2708 wrote to memory of 3656 2708 Tilesys.com Tilesys.com PID 3656 wrote to memory of 1640 3656 Tilesys.com cmd.exe PID 3656 wrote to memory of 1640 3656 Tilesys.com cmd.exe PID 3656 wrote to memory of 1640 3656 Tilesys.com cmd.exe PID 1640 wrote to memory of 992 1640 cmd.exe regedit.exe PID 1640 wrote to memory of 992 1640 cmd.exe regedit.exe PID 1640 wrote to memory of 992 1640 cmd.exe regedit.exe PID 3656 wrote to memory of 4208 3656 Tilesys.com Tilesys.com PID 3656 wrote to memory of 4208 3656 Tilesys.com Tilesys.com PID 3656 wrote to memory of 4208 3656 Tilesys.com Tilesys.com PID 4208 wrote to memory of 3944 4208 Tilesys.com cmd.exe PID 4208 wrote to memory of 3944 4208 Tilesys.com cmd.exe PID 4208 wrote to memory of 3944 4208 Tilesys.com cmd.exe PID 3944 wrote to memory of 4536 3944 cmd.exe regedit.exe PID 3944 wrote to memory of 4536 3944 cmd.exe regedit.exe PID 3944 wrote to memory of 4536 3944 cmd.exe regedit.exe PID 4208 wrote to memory of 2932 4208 Tilesys.com Tilesys.com PID 4208 wrote to memory of 2932 4208 Tilesys.com Tilesys.com PID 4208 wrote to memory of 2932 4208 Tilesys.com Tilesys.com PID 2932 wrote to memory of 4996 2932 Tilesys.com cmd.exe PID 2932 wrote to memory of 4996 2932 Tilesys.com cmd.exe PID 2932 wrote to memory of 4996 2932 Tilesys.com cmd.exe PID 4996 wrote to memory of 1476 4996 cmd.exe regedit.exe PID 4996 wrote to memory of 1476 4996 cmd.exe regedit.exe PID 4996 wrote to memory of 1476 4996 cmd.exe regedit.exe PID 2932 wrote to memory of 1292 2932 Tilesys.com Tilesys.com PID 2932 wrote to memory of 1292 2932 Tilesys.com Tilesys.com PID 2932 wrote to memory of 1292 2932 Tilesys.com Tilesys.com PID 1292 wrote to memory of 4428 1292 Tilesys.com cmd.exe PID 1292 wrote to memory of 4428 1292 Tilesys.com cmd.exe PID 1292 wrote to memory of 4428 1292 Tilesys.com cmd.exe PID 4428 wrote to memory of 636 4428 cmd.exe regedit.exe PID 4428 wrote to memory of 636 4428 cmd.exe regedit.exe PID 4428 wrote to memory of 636 4428 cmd.exe regedit.exe PID 1292 wrote to memory of 1176 1292 Tilesys.com Tilesys.com PID 1292 wrote to memory of 1176 1292 Tilesys.com Tilesys.com PID 1292 wrote to memory of 1176 1292 Tilesys.com Tilesys.com PID 1176 wrote to memory of 3004 1176 Tilesys.com cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
PID:2916
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1176 "C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:4340
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1208 "C:\Windows\SysWOW64\Tilesys.com"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat4⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
PID:4988
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1180 "C:\Windows\SysWOW64\Tilesys.com"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
PID:992
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1184 "C:\Windows\SysWOW64\Tilesys.com"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat6⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
PID:4536
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1188 "C:\Windows\SysWOW64\Tilesys.com"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
PID:1476
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1192 "C:\Windows\SysWOW64\Tilesys.com"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat8⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
PID:636
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1196 "C:\Windows\SysWOW64\Tilesys.com"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat9⤵PID:3004
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
PID:4616
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1200 "C:\Windows\SysWOW64\Tilesys.com"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat10⤵PID:1296
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
PID:4768
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1212 "C:\Windows\SysWOW64\Tilesys.com"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat11⤵PID:2468
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
PID:1984
-
-
-
C:\Windows\SysWOW64\Tilesys.comC:\Windows\system32\Tilesys.com 1204 "C:\Windows\SysWOW64\Tilesys.com"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\tempr.bat12⤵PID:4180
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
PID:3080
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
3KB
MD5ff6c57e8ec2b96b8da7fe900f1f3da1c
SHA1a6f0dc2e2a0a46e1031017b81825173054bf76ae
SHA256ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6
SHA512c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc
-
Filesize
3KB
MD58d6eb64e58d3f14686110fcaf1363269
SHA1d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA5125022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7
-
Filesize
193KB
MD5a94f8fd4c23a4a4ad1f94d78dfd186f2
SHA1d6a0c5c4f7ffdbbc9a5664ce33b6199ac245674a
SHA2563bee0e38f8d9c624a72228396603d782c864e71b3118d5c89b440d62c1e908ff
SHA512c96b98946c1a7947e5a60bbc2819debfd4d1a070104030ce17f5d9b5d42f7feccb90c6d7a7bfd62ddc974ef91d8a71335dc68b208cb313920bbb4d371254010a
-
Filesize
4KB
MD50686e5df841eaea5a2d8937b9362faf5
SHA1cf122dadd14f8c59496431987a9dd37861b7ac78
SHA2566942990327df4b21713268bd9dd82bbffa7140bf36f3e9369e3205f99dd459dd
SHA5124310c42a77ed5f850f640a452d49e45497cd379b614c1fe0f2c91aaf7c6774a3640c94e2cb93193b41ee78024e4c24b67f146c19c94780ed19931198ee174afb
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904