2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
15-05-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Size

434KB
MD5

b5d4146d585d33490dca0e55682b2492
SHA1

280386782e0dfad5991a218e1601ec5ca7ebc67b
SHA256

2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670
SHA512

31a9b11b9ffeb1fa4c8b10827917c99caf501276c5f55456bd1b2249f67926ccc011327c92722e8c4f7360f39b6e0d02895f705bf21d49bc4c12d29a425d8ab0

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
616	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
1464	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
912	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
1156	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
780	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
1896	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
1088	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
1500	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
1240	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
2024	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
1200	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000013105-59.dat	upx
behavioral1/files/0x0004000000013105-60.dat	upx
behavioral1/files/0x0004000000013105-62.dat	upx
behavioral1/files/0x0004000000013105-63.dat	upx
behavioral1/files/0x0004000000013107-64.dat	upx
behavioral1/files/0x0004000000013107-65.dat	upx
behavioral1/files/0x0004000000013107-67.dat	upx
behavioral1/files/0x0004000000013107-68.dat	upx
behavioral1/files/0x000500000001310b-70.dat	upx
behavioral1/files/0x000500000001310b-69.dat	upx
behavioral1/files/0x000500000001310b-72.dat	upx
behavioral1/files/0x000500000001310b-73.dat	upx
behavioral1/files/0x000300000001310c-74.dat	upx
behavioral1/files/0x000300000001310c-75.dat	upx
behavioral1/files/0x000300000001310c-77.dat	upx
behavioral1/files/0x000300000001310c-78.dat	upx
behavioral1/files/0x000300000001310d-80.dat	upx
behavioral1/files/0x000300000001310d-82.dat	upx
behavioral1/files/0x000300000001310d-79.dat	upx
behavioral1/files/0x000300000001310d-83.dat	upx
behavioral1/files/0x000300000001310e-87.dat	upx
behavioral1/files/0x000300000001310e-85.dat	upx
behavioral1/files/0x000300000001310e-84.dat	upx
behavioral1/files/0x000300000001310e-88.dat	upx
behavioral1/files/0x000300000001310f-89.dat	upx
behavioral1/files/0x000300000001310f-90.dat	upx
behavioral1/files/0x000300000001310f-92.dat	upx
behavioral1/files/0x000300000001310f-93.dat	upx
behavioral1/files/0x0003000000013110-94.dat	upx
behavioral1/files/0x0003000000013110-97.dat	upx
behavioral1/files/0x0003000000013110-95.dat	upx
behavioral1/files/0x0003000000013111-99.dat	upx
behavioral1/files/0x0003000000013110-98.dat	upx
behavioral1/files/0x0003000000013111-102.dat	upx
behavioral1/files/0x0003000000013111-100.dat	upx
behavioral1/files/0x0003000000013111-103.dat	upx
behavioral1/files/0x0003000000013113-104.dat	upx
behavioral1/files/0x0003000000013113-105.dat	upx
behavioral1/files/0x0003000000013113-107.dat	upx
behavioral1/files/0x0003000000013113-108.dat	upx
behavioral1/files/0x0003000000013119-110.dat	upx
behavioral1/files/0x0003000000013119-112.dat	upx
behavioral1/files/0x0003000000013119-109.dat	upx
behavioral1/files/0x0003000000013119-113.dat	upx
behavioral1/files/0x000300000001311b-114.dat	upx
behavioral1/files/0x000300000001311b-115.dat	upx
behavioral1/files/0x000300000001311b-117.dat	upx
behavioral1/files/0x000300000001311b-118.dat	upx
behavioral1/files/0x000300000001312d-119.dat	upx
behavioral1/files/0x000300000001312d-122.dat	upx
behavioral1/files/0x000300000001312d-120.dat	upx
behavioral1/files/0x000300000001312d-123.dat	upx
behavioral1/files/0x000300000001312f-124.dat	upx
behavioral1/files/0x000300000001312f-125.dat	upx
behavioral1/files/0x000300000001312f-127.dat	upx
behavioral1/files/0x000300000001312f-128.dat	upx
behavioral1/files/0x0003000000013131-129.dat	upx
behavioral1/files/0x0003000000013131-130.dat	upx
behavioral1/files/0x0003000000013131-132.dat	upx
behavioral1/files/0x0003000000013131-133.dat	upx
behavioral1/files/0x0003000000013133-134.dat	upx
behavioral1/files/0x0003000000013133-135.dat	upx
behavioral1/files/0x0003000000013133-137.dat	upx
behavioral1/files/0x0003000000013133-138.dat	upx

Loads dropped DLL 52 IoCs

pid	Process
1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
616	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
616	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
1464	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
1464	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
912	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
912	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
1156	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
1156	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
780	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
780	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
1896	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
1896	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
1088	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
1088	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
1500	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
1500	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
1240	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
1240	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
2024	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
2024	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe\""	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d920ada70f67247a	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2016	1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	26
PID 1096 wrote to memory of 2016	1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	26
PID 1096 wrote to memory of 2016	1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	26
PID 1096 wrote to memory of 2016	1096	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe	26
PID 2016 wrote to memory of 1172	2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	27
PID 2016 wrote to memory of 1172	2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	27
PID 2016 wrote to memory of 1172	2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	27
PID 2016 wrote to memory of 1172	2016	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe	27
PID 1172 wrote to memory of 1400	1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	28
PID 1172 wrote to memory of 1400	1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	28
PID 1172 wrote to memory of 1400	1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	28
PID 1172 wrote to memory of 1400	1172	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe	28
PID 1400 wrote to memory of 1960	1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	29
PID 1400 wrote to memory of 1960	1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	29
PID 1400 wrote to memory of 1960	1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	29
PID 1400 wrote to memory of 1960	1400	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe	29
PID 1960 wrote to memory of 1888	1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	30
PID 1960 wrote to memory of 1888	1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	30
PID 1960 wrote to memory of 1888	1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	30
PID 1960 wrote to memory of 1888	1960	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe	30
PID 1888 wrote to memory of 1740	1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	31
PID 1888 wrote to memory of 1740	1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	31
PID 1888 wrote to memory of 1740	1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	31
PID 1888 wrote to memory of 1740	1888	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe	31
PID 1740 wrote to memory of 1796	1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	32
PID 1740 wrote to memory of 1796	1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	32
PID 1740 wrote to memory of 1796	1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	32
PID 1740 wrote to memory of 1796	1740	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe	32
PID 1796 wrote to memory of 852	1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	33
PID 1796 wrote to memory of 852	1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	33
PID 1796 wrote to memory of 852	1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	33
PID 1796 wrote to memory of 852	1796	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe	33
PID 852 wrote to memory of 608	852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	34
PID 852 wrote to memory of 608	852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	34
PID 852 wrote to memory of 608	852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	34
PID 852 wrote to memory of 608	852	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe	34
PID 608 wrote to memory of 1244	608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	35
PID 608 wrote to memory of 1244	608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	35
PID 608 wrote to memory of 1244	608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	35
PID 608 wrote to memory of 1244	608	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe	35
PID 1244 wrote to memory of 1540	1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	36
PID 1244 wrote to memory of 1540	1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	36
PID 1244 wrote to memory of 1540	1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	36
PID 1244 wrote to memory of 1540	1244	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe	36
PID 1540 wrote to memory of 1692	1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	37
PID 1540 wrote to memory of 1692	1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	37
PID 1540 wrote to memory of 1692	1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	37
PID 1540 wrote to memory of 1692	1540	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe	37
PID 1692 wrote to memory of 480	1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	38
PID 1692 wrote to memory of 480	1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	38
PID 1692 wrote to memory of 480	1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	38
PID 1692 wrote to memory of 480	1692	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe	38
PID 480 wrote to memory of 640	480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	39
PID 480 wrote to memory of 640	480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	39
PID 480 wrote to memory of 640	480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	39
PID 480 wrote to memory of 640	480	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe	39
PID 640 wrote to memory of 876	640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	40
PID 640 wrote to memory of 876	640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	40
PID 640 wrote to memory of 876	640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	40
PID 640 wrote to memory of 876	640	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe	40
PID 876 wrote to memory of 616	876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	41
PID 876 wrote to memory of 616	876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	41
PID 876 wrote to memory of 616	876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	41
PID 876 wrote to memory of 616	876	2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe	41

C:\Users\Admin\AppData\Local\Temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe
"C:\Users\Admin\AppData\Local\Temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
  c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2016
- - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
    c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
      c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1400
    - - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:616
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1464
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:912
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1156
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:780
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1896
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1088
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1500
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1240
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2024
        
        \??\c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
        
        c:\users\admin\appdata\local\temp\2049191a8e78f562bd5c50b251d47bff344113a09da0a2bbd71d68325c3b7670_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads