Malware Analysis Report

2025-08-05 10:47

Sample ID 241017-axcc6awaml
Target b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
SHA256 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
Tags
bootkit discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90

Threat Level: Known bad

The file b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90 was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion persistence

Modifies security service

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 00:35

Reported

2024-10-17 00:37

Platform

win7-20240903-en

Max time kernel

147s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\Tilesys.com N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 2212 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 2212 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 2212 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 2700 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2340 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2340 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2340 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2340 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2024 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1064 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1064 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1064 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1064 wrote to memory of 2520 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2520 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2268 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2268 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2268 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2520 wrote to memory of 532 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2520 wrote to memory of 532 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2520 wrote to memory of 532 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2520 wrote to memory of 532 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 532 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 532 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1108 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1108 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1108 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1108 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 532 wrote to memory of 992 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 532 wrote to memory of 992 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 532 wrote to memory of 992 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 532 wrote to memory of 992 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 992 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2392 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2392 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2392 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 992 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 992 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 992 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 992 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com

Processes

C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe

"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 504 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 552 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 560 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 564 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 568 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 572 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 576 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 580 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 584 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 588 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2212-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2212-0-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2212-2-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2212-3-0x0000000000280000-0x0000000000283000-memory.dmp

memory/2212-24-0x0000000001F50000-0x0000000001F51000-memory.dmp

memory/2212-32-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2212-37-0x0000000002420000-0x0000000002421000-memory.dmp

memory/2212-36-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2212-35-0x0000000002400000-0x0000000002401000-memory.dmp

memory/2212-34-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2212-31-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2212-30-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2212-29-0x00000000023D0000-0x00000000023D1000-memory.dmp

C:\tempr.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2212-28-0x0000000001F90000-0x0000000001F91000-memory.dmp

memory/2212-27-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

memory/2212-26-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2212-25-0x0000000001F80000-0x0000000001F81000-memory.dmp

memory/2212-23-0x0000000001F60000-0x0000000001F61000-memory.dmp

memory/2212-22-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2212-21-0x0000000000920000-0x0000000000921000-memory.dmp

memory/2212-20-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2212-19-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2212-18-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2212-17-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2212-16-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2212-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2212-14-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2212-13-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2212-12-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2212-11-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2212-10-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2212-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2212-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2212-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2212-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2212-5-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2212-4-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2212-162-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/2340-187-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2340-186-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2212-185-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Windows\SysWOW64\Tilesys.com

MD5 3df8c2521ccc2a565789e21a7efe2a2a
SHA1 b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
SHA256 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
SHA512 e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e

memory/2212-182-0x0000000002B30000-0x0000000002BE2000-memory.dmp

memory/2212-181-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2212-180-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2212-179-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2212-178-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2212-177-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2212-176-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2212-175-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2212-174-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/2212-173-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2212-172-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2212-171-0x0000000002950000-0x0000000002951000-memory.dmp

memory/2212-170-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2212-169-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/2212-168-0x0000000002900000-0x0000000002901000-memory.dmp

memory/2212-167-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/2212-166-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/2212-165-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/2212-164-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/2212-163-0x0000000002890000-0x0000000002891000-memory.dmp

memory/2212-161-0x0000000002870000-0x0000000002871000-memory.dmp

memory/2212-160-0x0000000002880000-0x0000000002881000-memory.dmp

memory/2212-203-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2340-202-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2340-201-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2340-200-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2340-199-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/2340-198-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2340-197-0x0000000002060000-0x0000000002061000-memory.dmp

memory/2340-196-0x0000000002040000-0x0000000002041000-memory.dmp

memory/2340-195-0x0000000002020000-0x0000000002021000-memory.dmp

memory/2340-194-0x0000000002000000-0x0000000002001000-memory.dmp

memory/2340-193-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/2340-192-0x0000000000760000-0x0000000000761000-memory.dmp

memory/2340-191-0x0000000000740000-0x0000000000741000-memory.dmp

memory/2340-190-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2340-189-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2340-188-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/2340-205-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2340-206-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2340-208-0x0000000002CF0000-0x0000000002DA2000-memory.dmp

memory/2340-326-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2340-327-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1064-329-0x0000000002D60000-0x0000000002E12000-memory.dmp

memory/1064-447-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/532-452-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2520-450-0x0000000002CE0000-0x0000000002D92000-memory.dmp

memory/2520-568-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/992-573-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/532-571-0x0000000002CE0000-0x0000000002D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3637baf389a0d79b412adb2a7f1b7d09
SHA1 f4b011a72f59cf98a325f12b7e40ddd0548ccc16
SHA256 835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba
SHA512 ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

memory/532-689-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/992-690-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2844-694-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/992-810-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2844-812-0x0000000002CE0000-0x0000000002D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 752fd85212d47da8f0adc29004a573b2
SHA1 fa8fe3ff766601db46412879dc13dbec8d055965
SHA256 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512 d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a0897226da780b90c11da0756b361f1
SHA1 67f813e8733ad75a2147c59cca102a60274daeab
SHA256 115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee
SHA512 55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5b77620cb52220f4a82e3551ee0a53a6
SHA1 07d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA256 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA512 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 00:35

Reported

2024-10-17 00:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Tilesys.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4944 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4944 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4920 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 4920 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 4920 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe C:\Windows\SysWOW64\Tilesys.com
PID 2920 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5060 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5060 wrote to memory of 5092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2920 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2920 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2920 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2968 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2968 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2968 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1988 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1988 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1988 wrote to memory of 3620 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3620 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2260 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2260 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3620 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3620 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3620 wrote to memory of 3612 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3612 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 2360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2360 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2360 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3612 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3612 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3612 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4944 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 2000 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2000 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2000 wrote to memory of 3996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4944 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4944 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4944 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1932 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1828 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1828 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1828 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1828 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1932 wrote to memory of 756 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1932 wrote to memory of 756 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1932 wrote to memory of 756 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 756 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe

"C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1104 "C:\Users\Admin\AppData\Local\Temp\b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1208 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1180 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1184 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1148 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1196 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1192 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1204 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1200 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1212 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4920-0-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4920-1-0x0000000000530000-0x0000000000531000-memory.dmp

memory/4920-2-0x0000000000660000-0x0000000000690000-memory.dmp

memory/4920-23-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4920-37-0x0000000000690000-0x0000000000691000-memory.dmp

memory/4920-36-0x0000000002580000-0x0000000002581000-memory.dmp

memory/4920-35-0x0000000002590000-0x0000000002591000-memory.dmp

memory/4920-34-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4920-33-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4920-32-0x0000000002540000-0x0000000002541000-memory.dmp

memory/4920-31-0x0000000002550000-0x0000000002551000-memory.dmp

memory/4920-30-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4920-29-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4920-28-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/4920-27-0x0000000002500000-0x0000000002501000-memory.dmp

memory/4920-26-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/4920-25-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/4920-24-0x00000000023A0000-0x00000000023A1000-memory.dmp

\??\c:\tempr.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/4920-22-0x0000000002380000-0x0000000002381000-memory.dmp

memory/4920-21-0x0000000002390000-0x0000000002391000-memory.dmp

memory/4920-20-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4920-19-0x0000000002370000-0x0000000002371000-memory.dmp

memory/4920-18-0x0000000002340000-0x0000000002341000-memory.dmp

memory/4920-17-0x0000000002350000-0x0000000002351000-memory.dmp

memory/4920-16-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4920-15-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4920-14-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/4920-13-0x0000000002300000-0x0000000002301000-memory.dmp

memory/4920-12-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/4920-11-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4920-10-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4920-9-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/4920-8-0x0000000002280000-0x0000000002281000-memory.dmp

memory/4920-7-0x0000000000550000-0x0000000000551000-memory.dmp

memory/4920-6-0x0000000000540000-0x0000000000541000-memory.dmp

memory/4920-5-0x0000000002270000-0x0000000002271000-memory.dmp

memory/4920-4-0x00000000006A0000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/4920-147-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/4920-156-0x0000000003160000-0x0000000003161000-memory.dmp

memory/4920-155-0x0000000003170000-0x0000000003171000-memory.dmp

memory/4920-161-0x0000000003180000-0x0000000003181000-memory.dmp

memory/4920-171-0x0000000003220000-0x0000000003221000-memory.dmp

memory/4920-170-0x0000000003230000-0x0000000003231000-memory.dmp

memory/4920-169-0x0000000003200000-0x0000000003201000-memory.dmp

memory/4920-168-0x0000000003210000-0x0000000003211000-memory.dmp

memory/4920-151-0x0000000003030000-0x0000000003031000-memory.dmp

memory/4920-167-0x00000000031E0000-0x00000000031E1000-memory.dmp

memory/4920-166-0x00000000031F0000-0x00000000031F1000-memory.dmp

memory/4920-165-0x00000000031C0000-0x00000000031C1000-memory.dmp

memory/4920-164-0x00000000031D0000-0x00000000031D1000-memory.dmp

memory/4920-163-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/4920-162-0x00000000031B0000-0x00000000031B1000-memory.dmp

memory/4920-160-0x0000000003190000-0x0000000003191000-memory.dmp

C:\Windows\SysWOW64\Tilesys.com

MD5 3df8c2521ccc2a565789e21a7efe2a2a
SHA1 b9cdd76a4e650b8b1df9cad6e28af5e902e195eb
SHA256 b4923cbab0b28bdcbc4cf8ff8a6680afbb025f25f3f86904c32ba59ad19eea90
SHA512 e9c5b865d70f1fccf13fab15357c7429f75f4c27aef8253b23f4fbef81caa941e678e5e27b81d843ac5c3a57beeaa7591525b7c1064b279b1591b729d7ab8a1e

memory/4920-154-0x0000000003040000-0x0000000003041000-memory.dmp

memory/4920-153-0x0000000003050000-0x0000000003051000-memory.dmp

memory/4920-152-0x0000000003020000-0x0000000003021000-memory.dmp

memory/4920-150-0x0000000003000000-0x0000000003001000-memory.dmp

memory/4920-148-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/4920-149-0x0000000003010000-0x0000000003011000-memory.dmp

memory/4920-175-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4920-178-0x0000000000660000-0x0000000000690000-memory.dmp

memory/2920-194-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2920-193-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2920-192-0x0000000002530000-0x0000000002531000-memory.dmp

memory/2920-191-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2920-190-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2920-189-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/2920-188-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2920-187-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2920-186-0x0000000002470000-0x0000000002471000-memory.dmp

memory/2920-185-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2920-184-0x0000000002320000-0x0000000002321000-memory.dmp

memory/2920-183-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2920-182-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/2920-181-0x0000000002280000-0x0000000002281000-memory.dmp

memory/2920-180-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2920-177-0x0000000000520000-0x0000000000550000-memory.dmp

memory/2920-176-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/2920-304-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2920-305-0x0000000000520000-0x0000000000550000-memory.dmp

memory/1988-307-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2920-419-0x0000000000520000-0x0000000000550000-memory.dmp

memory/2920-418-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1988-420-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3620-422-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2d9f1ff716273d19e3f0d10a3cd8736f
SHA1 b4ca02834dd3f3489c5088d2157279d2be90f5ff
SHA256 9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623
SHA512 1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a920eceddece6cf7f3487fd8e919af34
SHA1 a6dee2d31d4cbd1b18f5d3bc971521411a699889
SHA256 ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6
SHA512 a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

memory/1988-533-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3612-535-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0d1e5715cf04d212bcd7c9dea5f7ab72
SHA1 a8add44bf542e4d22260a13de6a35704fb7f3bfb
SHA256 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473
SHA512 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f31b2aa720a1c523c1e36a40ef21ee0d
SHA1 9c8089896c55e6e6a9cca99b1b98c544723d314e
SHA256 cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716
SHA512 a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 614dc91c25423b19711b270e1e5a49ad
SHA1 f66496dcf9047ae934bdc4a65f697be55980b169
SHA256 cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e
SHA512 27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

memory/3620-646-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3612-647-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4944-649-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

memory/3612-760-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4944-761-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1932-763-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/4944-874-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1932-875-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/756-877-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 b9dc88ed785d13aaeae9626d7a26a6a0
SHA1 ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e
SHA256 9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc
SHA512 df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91