fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Size

346KB
MD5

a8fde79caa8763f26e0b9060a0f028c7
SHA1

195c642d1dc8d14cc11f8a1638f476f6e2e74119
SHA256

fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49
SHA512

7c717594dd6cbd0dc483ee1158562222c7e73a5e16ab7153dee134fab39c2e43ec6097371e50b52002e41740078d971f2812487efcd16cd4a80dde9b75537af8
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sXUzQIy:ZtXMzqrllX7XwXEIy

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
2900	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
396	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
1544	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
1660	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
2164	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
2844	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
2820	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
1516	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
1716	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
2512	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
2696	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
2900	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
2900	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
396	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
396	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
1544	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
1544	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
1660	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
1660	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
2164	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
2164	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
2844	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
2844	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
2820	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
2820	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
1516	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
1516	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
1716	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
1716	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
2512	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
2512	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000900000001227e-5.dat	upx
behavioral1/memory/1048-12-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1036-20-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1036-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2616-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2616-43-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2672-51-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000015c5a-52.dat	upx
behavioral1/memory/2672-54-0x00000000002A0000-0x00000000002DA000-memory.dmp	upx
behavioral1/memory/2440-62-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2672-60-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2440-76-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2448-83-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2448-91-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2892-105-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2760-114-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000a000000015c99-115.dat	upx
behavioral1/files/0x000a000000015c99-124.dat	upx
behavioral1/memory/2904-130-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000a000000015c99-123.dat	upx
behavioral1/memory/2760-122-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000a000000015c99-117.dat	upx
behavioral1/memory/2904-138-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2324-141-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2316-157-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2324-154-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2316-170-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1136-179-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000600000001680f-183.dat	upx
behavioral1/memory/1136-188-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1136-182-0x00000000003C0000-0x00000000003FA000-memory.dmp	upx
behavioral1/memory/1652-211-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/572-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1652-219-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2296-234-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2968-243-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2968-251-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2900-259-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016c20-253.dat	upx
behavioral1/memory/2968-245-0x00000000001B0000-0x00000000001EA000-memory.dmp	upx
behavioral1/memory/2900-264-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/396-270-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/396-276-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1544-282-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1544-288-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1660-289-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1660-300-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2164-306-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2164-312-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2844-318-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2844-324-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 544b0cea6b4e833d	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1036	1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	28
PID 1048 wrote to memory of 1036	1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	28
PID 1048 wrote to memory of 1036	1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	28
PID 1048 wrote to memory of 1036	1048	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	28
PID 1036 wrote to memory of 2616	1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	29
PID 1036 wrote to memory of 2616	1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	29
PID 1036 wrote to memory of 2616	1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	29
PID 1036 wrote to memory of 2616	1036	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	29
PID 2616 wrote to memory of 2672	2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	30
PID 2616 wrote to memory of 2672	2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	30
PID 2616 wrote to memory of 2672	2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	30
PID 2616 wrote to memory of 2672	2616	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	30
PID 2672 wrote to memory of 2440	2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	31
PID 2672 wrote to memory of 2440	2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	31
PID 2672 wrote to memory of 2440	2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	31
PID 2672 wrote to memory of 2440	2672	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	31
PID 2440 wrote to memory of 2448	2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	32
PID 2440 wrote to memory of 2448	2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	32
PID 2440 wrote to memory of 2448	2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	32
PID 2440 wrote to memory of 2448	2440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	32
PID 2448 wrote to memory of 2892	2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	33
PID 2448 wrote to memory of 2892	2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	33
PID 2448 wrote to memory of 2892	2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	33
PID 2448 wrote to memory of 2892	2448	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	33
PID 2892 wrote to memory of 2760	2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	34
PID 2892 wrote to memory of 2760	2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	34
PID 2892 wrote to memory of 2760	2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	34
PID 2892 wrote to memory of 2760	2892	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	34
PID 2760 wrote to memory of 2904	2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	35
PID 2760 wrote to memory of 2904	2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	35
PID 2760 wrote to memory of 2904	2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	35
PID 2760 wrote to memory of 2904	2760	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	35
PID 2904 wrote to memory of 2324	2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	36
PID 2904 wrote to memory of 2324	2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	36
PID 2904 wrote to memory of 2324	2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	36
PID 2904 wrote to memory of 2324	2904	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	36
PID 2324 wrote to memory of 2316	2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	37
PID 2324 wrote to memory of 2316	2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	37
PID 2324 wrote to memory of 2316	2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	37
PID 2324 wrote to memory of 2316	2324	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	37
PID 2316 wrote to memory of 1136	2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	38
PID 2316 wrote to memory of 1136	2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	38
PID 2316 wrote to memory of 1136	2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	38
PID 2316 wrote to memory of 1136	2316	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	38
PID 1136 wrote to memory of 572	1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	39
PID 1136 wrote to memory of 572	1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	39
PID 1136 wrote to memory of 572	1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	39
PID 1136 wrote to memory of 572	1136	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	39
PID 572 wrote to memory of 1652	572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	40
PID 572 wrote to memory of 1652	572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	40
PID 572 wrote to memory of 1652	572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	40
PID 572 wrote to memory of 1652	572	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	40
PID 1652 wrote to memory of 2296	1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	41
PID 1652 wrote to memory of 2296	1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	41
PID 1652 wrote to memory of 2296	1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	41
PID 1652 wrote to memory of 2296	1652	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	41
PID 2296 wrote to memory of 2968	2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	42
PID 2296 wrote to memory of 2968	2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	42
PID 2296 wrote to memory of 2968	2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	42
PID 2296 wrote to memory of 2968	2296	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	42
PID 2968 wrote to memory of 2900	2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	43
PID 2968 wrote to memory of 2900	2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	43
PID 2968 wrote to memory of 2900	2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	43
PID 2968 wrote to memory of 2900	2968	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
"C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
  c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1036
- - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
    c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
      c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2900
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:396
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1544
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1660
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2164
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2844
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2820
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1516
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1716
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2512
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe

Filesize
346KB

MD5
0274b23d144a43de35d980ca537430f7

SHA1
1e66616d9a41668512fa190343fe2f0f7f511d19

SHA256
dffa51e967315cbeb005de5dcccf4efd57402ea0719ab45343cb790d4d9d79ba

SHA512
950f06de2e1a01e2ad8763d335ab67498f5fa36435ad59c22314d53b7921df4b8349dc8431cedc6fd1500870e592eea5ae6093e87bde2199f8bdb6d65f46198d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe

Filesize
88KB

MD5
f50394c957297f61be8686e82eef661c

SHA1
1121437e488c9266d8e82d4b7d20cbcf1a2e9680

SHA256
f03e242bfaabee8dbf3c7bdd7da8ef84b24b5d7ec19dad3b91a94920cdfbcbb5

SHA512
817b69086d7c09da6d54f30ccfc0e2a8de7fbba95dbfcdb157b02fa1338e8bac7b0ed3e94f2be0b8c20620fb38a601a82a819fac17f4bb4268c85dd15ab32b41

Download Submit
\??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe

Filesize
64KB

MD5
3438a3ea4173cbe77e45410b0f22208e

SHA1
ea3b063db858046b803c3e553ad28168911eeaf7

SHA256
aa4e69ef1333f226aa49f2a04af88d0950cf9430e60a2448c2125e0892bd4c13

SHA512
f804b758860d99717c02b466145c762d9fe7715e8f20b124f351dd1462e85813ca46140a2fcc4c253249c5f9603ffe00df6eedc4ddaa2fc09b82a67d76152163

Download Submit
\??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe

Filesize
346KB

MD5
fd741b0a5042cf057c8a85a55eb64c2f

SHA1
5de5f713faf03a098ea5a27bab0c28fd449c683a

SHA256
d368f8aa35230b9b84f5b6b43555a982732c55a5d2b8725ef9f78e5e4eed411a

SHA512
86d20ca169e01e03a591164124503ba8b7a39174e1c2d20f784154404de55246dad451411b104ee9e746618f33acdab270d22a7f6bd150ce0130f3ee47a6a638

Download Submit
\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe

Filesize
346KB

MD5
047d340abf6eef8ec50fe4ffb20c9b63

SHA1
09d597eecc025c7956491e9cf1d20d99d1de2058

SHA256
30fa52c7ab7e3ca6480e945735b7b6606094c7a25ed24773e86a594c63bc7ccc

SHA512
276cb194053f4467885c20a65ad881b5e688c1db91c9e463646eab24a15da254763f74f3079764db764cdd52b57032a8efdba1c25eee5ec0058dba09f345a5e1

Download Submit
\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe

Filesize
346KB

MD5
0425561c7c55e29c719dadaa573ddb63

SHA1
0dd11ca686025b0ee48a4d6e37a2506d34c4b340

SHA256
22cc2fb080d2c03c2d2aeb2826e51ac8767cfbb5f4ed20ef77b2e3698e079573

SHA512
b0105a86cae37e2a86051dfd1a0df221592ad43e2df7a4e6bc3c6c50a8bb339d1e1f2f719c5e59e15d80bdde3700316b093b205a69d3f2c736ec98b0e98febe6

Download Submit
\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe

Filesize
128KB

MD5
8476de976b5df00e6ffe085d2e011066

SHA1
c1a605d544271f46399bd8abe6c06941f85eb04e

SHA256
deeb3a2b07212eea717f72de320c3e1ef0ceb9d1c24d99d4ad2e99b4594a4f26

SHA512
dba3c866caa594937e247fecb552ebb4349a3bc7ef18370c3bbd6b4de2345f1ba23b06f78444026924a681c01b2426bfa0afe976d05b9b82f940e5bf86f3a878

Download Submit
\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe

Filesize
346KB

MD5
90120f0059323d9cb261e95625cf1ccc

SHA1
a196aeffae656236a93e76e9f580f67c60271fff

SHA256
fc420e109e2377fbe4530606c7f99461fb0f9219e5a35eb3fe670f5af24dabac

SHA512
e85999a61d51ea8efabe3f32bbf3378d1312825eb831d4f6bf6391a5e8ab3171a37089b01fa674eb99e0d5c69c15e61fce6501bba126b5e04a7422695d48b435

Download Submit
memory/396-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/396-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/396-275-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/572-203-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/572-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1036-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1036-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1048-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-185-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/1136-182-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/1136-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1544-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1544-287-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/1544-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-299-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1652-221-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1652-211-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-215-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/1660-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1660-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2164-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2164-306-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-235-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2296-307-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2316-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2316-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-153-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2324-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2324-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-76-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-91-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-177-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2448-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-90-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2616-43-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2616-38-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2616-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-68-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2672-54-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2672-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2760-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2760-121-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/2760-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-330-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2844-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-178-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2892-106-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2900-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-133-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2904-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-245-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2968-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-320-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads