fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49

Analysis

max time kernel
164s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Size

346KB
MD5

a8fde79caa8763f26e0b9060a0f028c7
SHA1

195c642d1dc8d14cc11f8a1638f476f6e2e74119
SHA256

fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49
SHA512

7c717594dd6cbd0dc483ee1158562222c7e73a5e16ab7153dee134fab39c2e43ec6097371e50b52002e41740078d971f2812487efcd16cd4a80dde9b75537af8
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sXUzQIy:ZtXMzqrllX7XwXEIy

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2080	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
684	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
2956	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
4940	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
2024	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
788	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
4540	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
2432	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
3560	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
1724	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
2732	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
3464	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
4240	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
4440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
3452	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
4896	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
2728	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
4224	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
3104	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
3500	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
4160	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
1340	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
3008	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
4880	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
5024	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
3580	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3180-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0008000000023327-5.dat	upx
behavioral2/memory/2080-9-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3180-10-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2080-18-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/684-30-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2956-29-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/684-25-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002332e-37.dat	upx
behavioral2/memory/2956-39-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4940-40-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2024-57-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/788-63-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023336-65.dat	upx
behavioral2/memory/4540-68-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2432-84-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3560-102-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2732-106-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002333a-105.dat	upx
behavioral2/memory/1724-101-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3560-92-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4540-77-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/788-67-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3464-122-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2732-115-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4240-130-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4240-140-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4440-144-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3452-150-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2728-163-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4896-159-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4224-179-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023340-180.dat	upx
behavioral2/memory/1724-182-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3104-188-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2728-178-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3104-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4160-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4160-221-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4880-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3580-252-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4896-253-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3452-251-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5024-248-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3008-231-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3008-227-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1340-220-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3500-198-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4880-256-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = aa061dbe31f3cc15	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2080	3180	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	98
PID 3180 wrote to memory of 2080	3180	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	98
PID 3180 wrote to memory of 2080	3180	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe	98
PID 2080 wrote to memory of 684	2080	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	99
PID 2080 wrote to memory of 684	2080	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	99
PID 2080 wrote to memory of 684	2080	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe	99
PID 684 wrote to memory of 2956	684	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	100
PID 684 wrote to memory of 2956	684	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	100
PID 684 wrote to memory of 2956	684	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe	100
PID 2956 wrote to memory of 4940	2956	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	101
PID 2956 wrote to memory of 4940	2956	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	101
PID 2956 wrote to memory of 4940	2956	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe	101
PID 4940 wrote to memory of 2024	4940	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	102
PID 4940 wrote to memory of 2024	4940	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	102
PID 4940 wrote to memory of 2024	4940	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe	102
PID 2024 wrote to memory of 788	2024	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	103
PID 2024 wrote to memory of 788	2024	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	103
PID 2024 wrote to memory of 788	2024	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe	103
PID 788 wrote to memory of 4540	788	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	104
PID 788 wrote to memory of 4540	788	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	104
PID 788 wrote to memory of 4540	788	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe	104
PID 4540 wrote to memory of 2432	4540	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	105
PID 4540 wrote to memory of 2432	4540	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	105
PID 4540 wrote to memory of 2432	4540	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe	105
PID 2432 wrote to memory of 3560	2432	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	106
PID 2432 wrote to memory of 3560	2432	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	106
PID 2432 wrote to memory of 3560	2432	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe	106
PID 3560 wrote to memory of 1724	3560	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	107
PID 3560 wrote to memory of 1724	3560	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	107
PID 3560 wrote to memory of 1724	3560	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe	107
PID 1724 wrote to memory of 2732	1724	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	108
PID 1724 wrote to memory of 2732	1724	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	108
PID 1724 wrote to memory of 2732	1724	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe	108
PID 2732 wrote to memory of 3464	2732	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	109
PID 2732 wrote to memory of 3464	2732	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	109
PID 2732 wrote to memory of 3464	2732	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe	109
PID 3464 wrote to memory of 4240	3464	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	110
PID 3464 wrote to memory of 4240	3464	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	110
PID 3464 wrote to memory of 4240	3464	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe	110
PID 4240 wrote to memory of 4440	4240	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	111
PID 4240 wrote to memory of 4440	4240	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	111
PID 4240 wrote to memory of 4440	4240	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe	111
PID 4440 wrote to memory of 3452	4440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	112
PID 4440 wrote to memory of 3452	4440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	112
PID 4440 wrote to memory of 3452	4440	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe	112
PID 3452 wrote to memory of 4896	3452	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	113
PID 3452 wrote to memory of 4896	3452	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	113
PID 3452 wrote to memory of 4896	3452	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe	113
PID 4896 wrote to memory of 2728	4896	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe	114
PID 4896 wrote to memory of 2728	4896	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe	114
PID 4896 wrote to memory of 2728	4896	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe	114
PID 2728 wrote to memory of 4224	2728	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe	115
PID 2728 wrote to memory of 4224	2728	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe	115
PID 2728 wrote to memory of 4224	2728	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe	115
PID 4224 wrote to memory of 3104	4224	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe	116
PID 4224 wrote to memory of 3104	4224	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe	116
PID 4224 wrote to memory of 3104	4224	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe	116
PID 3104 wrote to memory of 3500	3104	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe	117
PID 3104 wrote to memory of 3500	3104	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe	117
PID 3104 wrote to memory of 3500	3104	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe	117
PID 3500 wrote to memory of 4160	3500	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe	118
PID 3500 wrote to memory of 4160	3500	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe	118
PID 3500 wrote to memory of 4160	3500	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe	118
PID 4160 wrote to memory of 1340	4160	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe	119

C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
"C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180
- \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
  c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2080
- - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
    c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:684
  - - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
      c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2956
    - - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1340
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3008
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4880
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5024
        
        \??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
        
        c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe

Filesize
346KB

MD5
28fab194084d77ad146c8aa0a833e2bb

SHA1
50b19cee4bea4b80c4e7ab4fd9452d578cb998e2

SHA256
0d4b9190a15f15924d766c38ff3758bbd4e07ac43e6dcd05e6b487f2ef4c528e

SHA512
310a47b4854150a41d1e2f683fcdb78ee51bac03ab9e157a887ce2bbc5a4ce460ffb3d2ccd1e86adf8d105eb723ab31d713eb85f70370680a5a3e97cc8617978

Download Submit
C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe

Filesize
346KB

MD5
a07344f042986ce8059ba0842d755e12

SHA1
c82f7e645e8aa84e4dd5b1c3986a7bba9476dcf9

SHA256
f5db0159871de1effbd55e99e1680d52c2e2dfc3dca7e627a0e2be7145364bcb

SHA512
255165e5f426b65a52b660e9a46c10bee238fd2a92775bafe0c616fc7e3d5874a6522b9f14d7533db7eff3b5913ea6cc8dd4ea68f0d7b37abbf66449717486e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe

Filesize
346KB

MD5
4f985752a7997797fa8f6c855148c4c6

SHA1
b6a926159b59fdd2388b7feb16fc3a1558f8098f

SHA256
b169703d83adc379cfac7916ee1f8d7b7b6571741340d6a88010eff55080ff97

SHA512
3225dcb81f47e821e766a8a1de4098f911b426b643f2e06797e4d72d68848018e8cb0c395f8191e90de004fbbeaea4e3c0a365cdf8be6e15cad0d22e69213727

Download Submit
C:\Users\Admin\AppData\Local\Temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe

Filesize
346KB

MD5
2bde760b0267e256ae95717977881686

SHA1
e6e65a00758c52c4fca030084eb9abbedfb38a86

SHA256
6bb8da14741a4e1ea5537179a8bc72efe5d1ee6fd4b6908267b3f1679cb18ab1

SHA512
be5c3556a36eeb0f1e046c3bf8519dd137beefe26a0d86ecac4c45081d64ca2ba744d2bb931b87496a7ea70e4025b4652386abb9c1680d7acb13189266aa57f7

Download Submit
\??\c:\users\admin\appdata\local\temp\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe

Filesize
346KB

MD5
b0deddae0e3dd773b5a79f56bf1ef017

SHA1
0d992e1fb0d3c99551232fff86a779dfa0d2847e

SHA256
b977442b92cc5a67cfa3bee831a4c9e511cbf5157d54ce8ce2f05336ce1c0c33

SHA512
fbf8783859d2ffde53ea0c67e61e66003a3015215cb42b5d7f6187b9da0c6a3fb69dfc27e99ef43fcd386c3215f3a75685fc1b837bf9d1b54a97dc3913a6a262

Download Submit
memory/684-30-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/684-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/788-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1340-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1340-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2024-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2956-29-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3008-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3452-150-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3452-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3500-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3500-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3560-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3560-92-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3580-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4224-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4540-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4540-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4880-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4880-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4940-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5024-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202f.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202k.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202e.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202j.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202t.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202r.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202i.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202m.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202w.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202y.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202b.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202q.exe\""	fde67652e827509dc3e738e7ff5fc544f08ad31f89dc35894a0009bb2c18ca49_3202p.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads