Analysis Overview
SHA256
b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
Threat Level: Known bad
The file b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Loads dropped DLL
Executes dropped EXE
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 00:35
Reported
2024-10-17 00:37
Platform
win7-20240903-en
Max time kernel
147s
Max time network
123s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
Loads dropped DLL
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\Tilesys.com | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 504 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 552 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 560 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 564 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 568 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 572 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 576 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 580 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 584 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 588 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
memory/2212-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2212-0-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2212-2-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2212-3-0x0000000000280000-0x0000000000283000-memory.dmp
memory/2212-24-0x0000000001F50000-0x0000000001F51000-memory.dmp
memory/2212-32-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/2212-37-0x0000000002420000-0x0000000002421000-memory.dmp
memory/2212-36-0x0000000002430000-0x0000000002431000-memory.dmp
memory/2212-35-0x0000000002400000-0x0000000002401000-memory.dmp
memory/2212-34-0x0000000002410000-0x0000000002411000-memory.dmp
memory/2212-31-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/2212-30-0x0000000001FB0000-0x0000000001FB1000-memory.dmp
memory/2212-29-0x00000000023D0000-0x00000000023D1000-memory.dmp
C:\tempr.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
memory/2212-28-0x0000000001F90000-0x0000000001F91000-memory.dmp
memory/2212-27-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
memory/2212-26-0x0000000001F70000-0x0000000001F71000-memory.dmp
memory/2212-25-0x0000000001F80000-0x0000000001F81000-memory.dmp
memory/2212-23-0x0000000001F60000-0x0000000001F61000-memory.dmp
memory/2212-22-0x0000000000910000-0x0000000000911000-memory.dmp
memory/2212-21-0x0000000000920000-0x0000000000921000-memory.dmp
memory/2212-20-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2212-19-0x0000000000900000-0x0000000000901000-memory.dmp
memory/2212-18-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2212-17-0x0000000000650000-0x0000000000651000-memory.dmp
memory/2212-16-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2212-15-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2212-14-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2212-13-0x0000000000330000-0x0000000000331000-memory.dmp
memory/2212-12-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2212-11-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2212-10-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2212-9-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2212-8-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2212-7-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2212-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2212-5-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2212-4-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
memory/2212-162-0x00000000028A0000-0x00000000028A1000-memory.dmp
memory/2340-187-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2340-186-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2212-185-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Windows\SysWOW64\Tilesys.com
| MD5 | 3df8c2521ccc2a565789e21a7efe2a2a |
| SHA1 | b9cdd76a4e650b8b1df9cad6e28af5e902e195eb |
| SHA256 | b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90 |
| SHA512 | e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e |
memory/2212-182-0x0000000002B30000-0x0000000002BE2000-memory.dmp
memory/2212-181-0x0000000002A30000-0x0000000002A31000-memory.dmp
memory/2212-180-0x0000000002A40000-0x0000000002A41000-memory.dmp
memory/2212-179-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/2212-178-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/2212-177-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/2212-176-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/2212-175-0x0000000002990000-0x0000000002991000-memory.dmp
memory/2212-174-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/2212-173-0x0000000002970000-0x0000000002971000-memory.dmp
memory/2212-172-0x0000000002980000-0x0000000002981000-memory.dmp
memory/2212-171-0x0000000002950000-0x0000000002951000-memory.dmp
memory/2212-170-0x0000000002960000-0x0000000002961000-memory.dmp
memory/2212-169-0x00000000028F0000-0x00000000028F1000-memory.dmp
memory/2212-168-0x0000000002900000-0x0000000002901000-memory.dmp
memory/2212-167-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/2212-166-0x00000000028E0000-0x00000000028E1000-memory.dmp
memory/2212-165-0x00000000028B0000-0x00000000028B1000-memory.dmp
memory/2212-164-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/2212-163-0x0000000002890000-0x0000000002891000-memory.dmp
memory/2212-161-0x0000000002870000-0x0000000002871000-memory.dmp
memory/2212-160-0x0000000002880000-0x0000000002881000-memory.dmp
memory/2212-203-0x0000000000250000-0x0000000000280000-memory.dmp
memory/2340-202-0x0000000002430000-0x0000000002431000-memory.dmp
memory/2340-201-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/2340-200-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/2340-199-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/2340-198-0x0000000002390000-0x0000000002391000-memory.dmp
memory/2340-197-0x0000000002060000-0x0000000002061000-memory.dmp
memory/2340-196-0x0000000002040000-0x0000000002041000-memory.dmp
memory/2340-195-0x0000000002020000-0x0000000002021000-memory.dmp
memory/2340-194-0x0000000002000000-0x0000000002001000-memory.dmp
memory/2340-193-0x0000000001FE0000-0x0000000001FE1000-memory.dmp
memory/2340-192-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2340-191-0x0000000000740000-0x0000000000741000-memory.dmp
memory/2340-190-0x0000000000520000-0x0000000000521000-memory.dmp
memory/2340-189-0x00000000004D0000-0x00000000004D1000-memory.dmp
memory/2340-188-0x00000000004C0000-0x00000000004C1000-memory.dmp
memory/2340-205-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2340-206-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2340-208-0x0000000002CF0000-0x0000000002DA2000-memory.dmp
memory/2340-326-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2340-327-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1064-329-0x0000000002D60000-0x0000000002E12000-memory.dmp
memory/1064-447-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/532-452-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2520-450-0x0000000002CE0000-0x0000000002D92000-memory.dmp
memory/2520-568-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/992-573-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/532-571-0x0000000002CE0000-0x0000000002D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 3637baf389a0d79b412adb2a7f1b7d09 |
| SHA1 | f4b011a72f59cf98a325f12b7e40ddd0548ccc16 |
| SHA256 | 835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba |
| SHA512 | ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506 |
memory/532-689-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/992-690-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2844-694-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/992-810-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2844-812-0x0000000002CE0000-0x0000000002D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 752fd85212d47da8f0adc29004a573b2 |
| SHA1 | fa8fe3ff766601db46412879dc13dbec8d055965 |
| SHA256 | 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e |
| SHA512 | d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8a0897226da780b90c11da0756b361f1 |
| SHA1 | 67f813e8733ad75a2147c59cca102a60274daeab |
| SHA256 | 115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee |
| SHA512 | 55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5b77620cb52220f4a82e3551ee0a53a6 |
| SHA1 | 07d122b8e70ec5887bad4ef8f4d6209df18912d0 |
| SHA256 | 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579 |
| SHA512 | 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 00:35
Reported
2024-10-17 00:37
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Tilesys.com | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File opened for modification | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
| File created | C:\Windows\SysWOW64\Tilesys.com | C:\Windows\SysWOW64\Tilesys.com | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ | C:\Windows\SysWOW64\Tilesys.com | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.key | C:\Windows\SysWOW64\Tilesys.com | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe
"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1104 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1208 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1180 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1184 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1148 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1196 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1192 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1204 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1200 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Tilesys.com
C:\Windows\system32\Tilesys.com 1212 "C:\Windows\SysWOW64\Tilesys.com"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\tempr.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/4920-0-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4920-1-0x0000000000530000-0x0000000000531000-memory.dmp
memory/4920-2-0x0000000000660000-0x0000000000690000-memory.dmp
memory/4920-23-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/4920-37-0x0000000000690000-0x0000000000691000-memory.dmp
memory/4920-36-0x0000000002580000-0x0000000002581000-memory.dmp
memory/4920-35-0x0000000002590000-0x0000000002591000-memory.dmp
memory/4920-34-0x0000000002560000-0x0000000002561000-memory.dmp
memory/4920-33-0x0000000002570000-0x0000000002571000-memory.dmp
memory/4920-32-0x0000000002540000-0x0000000002541000-memory.dmp
memory/4920-31-0x0000000002550000-0x0000000002551000-memory.dmp
memory/4920-30-0x0000000002520000-0x0000000002521000-memory.dmp
memory/4920-29-0x0000000002530000-0x0000000002531000-memory.dmp
memory/4920-28-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/4920-27-0x0000000002500000-0x0000000002501000-memory.dmp
memory/4920-26-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/4920-25-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/4920-24-0x00000000023A0000-0x00000000023A1000-memory.dmp
\??\c:\tempr.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
memory/4920-22-0x0000000002380000-0x0000000002381000-memory.dmp
memory/4920-21-0x0000000002390000-0x0000000002391000-memory.dmp
memory/4920-20-0x0000000002360000-0x0000000002361000-memory.dmp
memory/4920-19-0x0000000002370000-0x0000000002371000-memory.dmp
memory/4920-18-0x0000000002340000-0x0000000002341000-memory.dmp
memory/4920-17-0x0000000002350000-0x0000000002351000-memory.dmp
memory/4920-16-0x0000000002320000-0x0000000002321000-memory.dmp
memory/4920-15-0x0000000002330000-0x0000000002331000-memory.dmp
memory/4920-14-0x00000000022F0000-0x00000000022F1000-memory.dmp
memory/4920-13-0x0000000002300000-0x0000000002301000-memory.dmp
memory/4920-12-0x00000000022D0000-0x00000000022D1000-memory.dmp
memory/4920-11-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/4920-10-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/4920-9-0x00000000022C0000-0x00000000022C1000-memory.dmp
memory/4920-8-0x0000000002280000-0x0000000002281000-memory.dmp
memory/4920-7-0x0000000000550000-0x0000000000551000-memory.dmp
memory/4920-6-0x0000000000540000-0x0000000000541000-memory.dmp
memory/4920-5-0x0000000002270000-0x0000000002271000-memory.dmp
memory/4920-4-0x00000000006A0000-0x00000000006A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a5d4cddfecf34e5391a7a3df62312327 |
| SHA1 | 04a3c708bab0c15b6746cf9dbf41a71c917a98b9 |
| SHA256 | 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a |
| SHA512 | 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 558ce6da965ba1758d112b22e15aa5a2 |
| SHA1 | a365542609e4d1dc46be62928b08612fcabe2ede |
| SHA256 | c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb |
| SHA512 | 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
memory/4920-147-0x0000000002FF0000-0x0000000002FF1000-memory.dmp
memory/4920-156-0x0000000003160000-0x0000000003161000-memory.dmp
memory/4920-155-0x0000000003170000-0x0000000003171000-memory.dmp
memory/4920-161-0x0000000003180000-0x0000000003181000-memory.dmp
memory/4920-171-0x0000000003220000-0x0000000003221000-memory.dmp
memory/4920-170-0x0000000003230000-0x0000000003231000-memory.dmp
memory/4920-169-0x0000000003200000-0x0000000003201000-memory.dmp
memory/4920-168-0x0000000003210000-0x0000000003211000-memory.dmp
memory/4920-151-0x0000000003030000-0x0000000003031000-memory.dmp
memory/4920-167-0x00000000031E0000-0x00000000031E1000-memory.dmp
memory/4920-166-0x00000000031F0000-0x00000000031F1000-memory.dmp
memory/4920-165-0x00000000031C0000-0x00000000031C1000-memory.dmp
memory/4920-164-0x00000000031D0000-0x00000000031D1000-memory.dmp
memory/4920-163-0x00000000031A0000-0x00000000031A1000-memory.dmp
memory/4920-162-0x00000000031B0000-0x00000000031B1000-memory.dmp
memory/4920-160-0x0000000003190000-0x0000000003191000-memory.dmp
C:\Windows\SysWOW64\Tilesys.com
| MD5 | 3df8c2521ccc2a565789e21a7efe2a2a |
| SHA1 | b9cdd76a4e650b8b1df9cad6e28af5e902e195eb |
| SHA256 | b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90 |
| SHA512 | e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e |
memory/4920-154-0x0000000003040000-0x0000000003041000-memory.dmp
memory/4920-153-0x0000000003050000-0x0000000003051000-memory.dmp
memory/4920-152-0x0000000003020000-0x0000000003021000-memory.dmp
memory/4920-150-0x0000000003000000-0x0000000003001000-memory.dmp
memory/4920-148-0x0000000002FE0000-0x0000000002FE1000-memory.dmp
memory/4920-149-0x0000000003010000-0x0000000003011000-memory.dmp
memory/4920-175-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4920-178-0x0000000000660000-0x0000000000690000-memory.dmp
memory/2920-194-0x0000000002570000-0x0000000002571000-memory.dmp
memory/2920-193-0x0000000002550000-0x0000000002551000-memory.dmp
memory/2920-192-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2920-191-0x0000000002510000-0x0000000002511000-memory.dmp
memory/2920-190-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/2920-189-0x00000000024D0000-0x00000000024D1000-memory.dmp
memory/2920-188-0x00000000024B0000-0x00000000024B1000-memory.dmp
memory/2920-187-0x0000000002490000-0x0000000002491000-memory.dmp
memory/2920-186-0x0000000002470000-0x0000000002471000-memory.dmp
memory/2920-185-0x0000000002340000-0x0000000002341000-memory.dmp
memory/2920-184-0x0000000002320000-0x0000000002321000-memory.dmp
memory/2920-183-0x0000000002300000-0x0000000002301000-memory.dmp
memory/2920-182-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/2920-181-0x0000000002280000-0x0000000002281000-memory.dmp
memory/2920-180-0x0000000002270000-0x0000000002271000-memory.dmp
memory/2920-177-0x0000000000520000-0x0000000000550000-memory.dmp
memory/2920-176-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/2920-304-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2920-305-0x0000000000520000-0x0000000000550000-memory.dmp
memory/1988-307-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2920-419-0x0000000000520000-0x0000000000550000-memory.dmp
memory/2920-418-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1988-420-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3620-422-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 2d9f1ff716273d19e3f0d10a3cd8736f |
| SHA1 | b4ca02834dd3f3489c5088d2157279d2be90f5ff |
| SHA256 | 9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623 |
| SHA512 | 1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a920eceddece6cf7f3487fd8e919af34 |
| SHA1 | a6dee2d31d4cbd1b18f5d3bc971521411a699889 |
| SHA256 | ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6 |
| SHA512 | a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc |
memory/1988-533-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3612-535-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 0d1e5715cf04d212bcd7c9dea5f7ab72 |
| SHA1 | a8add44bf542e4d22260a13de6a35704fb7f3bfb |
| SHA256 | 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473 |
| SHA512 | 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f31b2aa720a1c523c1e36a40ef21ee0d |
| SHA1 | 9c8089896c55e6e6a9cca99b1b98c544723d314e |
| SHA256 | cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716 |
| SHA512 | a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 614dc91c25423b19711b270e1e5a49ad |
| SHA1 | f66496dcf9047ae934bdc4a65f697be55980b169 |
| SHA256 | cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e |
| SHA512 | 27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7 |
memory/3620-646-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/3612-647-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4944-649-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5a466127fedf6dbcd99adc917bd74581 |
| SHA1 | a2e60b101c8789b59360d95a64ec07d0723c4d38 |
| SHA256 | 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84 |
| SHA512 | 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8a84d46ef81c793a90a80bc806cffdcf |
| SHA1 | 02fac9db9330040ffc613a325686ddca2678a7c5 |
| SHA256 | 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4 |
| SHA512 | b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c1e5f93e2bee9ca33872764d8889de23 |
| SHA1 | 167f65adfc34a0e47cb7de92cc5958ee8905796a |
| SHA256 | 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a |
| SHA512 | 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859 |
memory/3612-760-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/4944-761-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1932-763-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d085cde42c14e8ee2a5e8870d08aee42 |
| SHA1 | c8e967f1d301f97dbcf252d7e1677e590126f994 |
| SHA256 | a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f |
| SHA512 | de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b |
memory/4944-874-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/1932-875-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/756-877-0x0000000000400000-0x00000000004B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d5e129352c8dd0032b51f34a2bbecad3 |
| SHA1 | a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a |
| SHA256 | ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267 |
| SHA512 | 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5da7efcc8d0fcdf2bad7890c3f8a27ca |
| SHA1 | 681788d5a3044eee8426d431bd786375cd32bf13 |
| SHA256 | 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8 |
| SHA512 | 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | b9dc88ed785d13aaeae9626d7a26a6a0 |
| SHA1 | ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e |
| SHA256 | 9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc |
| SHA512 | df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91 |