bfa618d0d4f6ad7c98c588e4826a38391544520d4478e28c77ef29018c167516

General

Target

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Size

60KB
MD5

c4da0137cbb99626fd44da707ae1bca8
SHA1

a38e9891152755d9e7fff7386bb5a1bca375bd91
SHA256

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
SHA512

dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645

Score

1^/10

Modifies registry class 5 IoCs

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico"	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

description	pid	process	target process
PID 1980 wrote to memory of 1784	1980	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1980 wrote to memory of 1784	1980	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1980 wrote to memory of 1784	1980	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1980 wrote to memory of 1784	1980	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1784 wrote to memory of 1780	1784	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1784 wrote to memory of 1780	1784	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1784 wrote to memory of 1780	1784	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
PID 1784 wrote to memory of 1780	1784	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe	1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe

C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
"C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe"
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
"C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe
C:\Users\Admin\AppData\Local\Temp\1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a.exe -work worker0 -path \\?\C:\
3⤵
PID:1780

memory/1096-60-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1780-64-0x0000000000000000-mapping.dmp

Download
memory/1784-62-0x0000000000000000-mapping.dmp

Download