3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe
Size

240KB
MD5

5139088c1b90cb6ba77225b6c6395b09
SHA1

6d517d5218944fd6c869682d420fe472dcd3288b
SHA256

3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31
SHA512

16320b961469f9982e99e01fe00a32b3d5d3e92ac693f7c0ba068a8731ceae1128b3fc33c96e56a899a4b4f221773bc143824c31e320aef6310a119087afdfb2
SSDEEP

6144:9hbZ5hMTNFf8LAurlEzAX7o5hn8wVSZ2sXc:vtXMzqrllX7618w

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1512	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
1472	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
4576	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
112	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe
4504	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
620	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
5004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
4004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
3068	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
1948	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
4256	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
1672	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
5032	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
3160	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
856	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
3092	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
2044	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
2024	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
372	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
4340	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
3224	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
772	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe
3864	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
1112	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
2396	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
2516	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2592b4fb36ca8e43	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1512	740	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe	88
PID 740 wrote to memory of 1512	740	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe	88
PID 740 wrote to memory of 1512	740	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe	88
PID 1512 wrote to memory of 1472	1512	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe	89
PID 1512 wrote to memory of 1472	1512	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe	89
PID 1512 wrote to memory of 1472	1512	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe	89
PID 1472 wrote to memory of 4576	1472	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe	90
PID 1472 wrote to memory of 4576	1472	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe	90
PID 1472 wrote to memory of 4576	1472	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe	90
PID 4576 wrote to memory of 112	4576	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe	91
PID 4576 wrote to memory of 112	4576	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe	91
PID 4576 wrote to memory of 112	4576	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe	91
PID 112 wrote to memory of 4504	112	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe	92
PID 112 wrote to memory of 4504	112	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe	92
PID 112 wrote to memory of 4504	112	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe	92
PID 4504 wrote to memory of 620	4504	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe	93
PID 4504 wrote to memory of 620	4504	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe	93
PID 4504 wrote to memory of 620	4504	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe	93
PID 620 wrote to memory of 5004	620	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe	94
PID 620 wrote to memory of 5004	620	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe	94
PID 620 wrote to memory of 5004	620	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe	94
PID 5004 wrote to memory of 4004	5004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe	95
PID 5004 wrote to memory of 4004	5004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe	95
PID 5004 wrote to memory of 4004	5004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe	95
PID 4004 wrote to memory of 3068	4004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe	96
PID 4004 wrote to memory of 3068	4004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe	96
PID 4004 wrote to memory of 3068	4004	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe	96
PID 3068 wrote to memory of 1948	3068	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe	97
PID 3068 wrote to memory of 1948	3068	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe	97
PID 3068 wrote to memory of 1948	3068	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe	97
PID 1948 wrote to memory of 4256	1948	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe	98
PID 1948 wrote to memory of 4256	1948	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe	98
PID 1948 wrote to memory of 4256	1948	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe	98
PID 4256 wrote to memory of 1672	4256	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe	99
PID 4256 wrote to memory of 1672	4256	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe	99
PID 4256 wrote to memory of 1672	4256	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe	99
PID 1672 wrote to memory of 5032	1672	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe	100
PID 1672 wrote to memory of 5032	1672	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe	100
PID 1672 wrote to memory of 5032	1672	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe	100
PID 5032 wrote to memory of 3160	5032	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe	101
PID 5032 wrote to memory of 3160	5032	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe	101
PID 5032 wrote to memory of 3160	5032	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe	101
PID 3160 wrote to memory of 856	3160	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe	102
PID 3160 wrote to memory of 856	3160	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe	102
PID 3160 wrote to memory of 856	3160	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe	102
PID 856 wrote to memory of 3092	856	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe	103
PID 856 wrote to memory of 3092	856	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe	103
PID 856 wrote to memory of 3092	856	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe	103
PID 3092 wrote to memory of 2044	3092	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe	105
PID 3092 wrote to memory of 2044	3092	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe	105
PID 3092 wrote to memory of 2044	3092	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe	105
PID 2044 wrote to memory of 2024	2044	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe	106
PID 2044 wrote to memory of 2024	2044	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe	106
PID 2044 wrote to memory of 2024	2044	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe	106
PID 2024 wrote to memory of 372	2024	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe	107
PID 2024 wrote to memory of 372	2024	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe	107
PID 2024 wrote to memory of 372	2024	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe	107
PID 372 wrote to memory of 4340	372	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe	109
PID 372 wrote to memory of 4340	372	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe	109
PID 372 wrote to memory of 4340	372	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe	109
PID 4340 wrote to memory of 3224	4340	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe	110
PID 4340 wrote to memory of 3224	4340	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe	110
PID 4340 wrote to memory of 3224	4340	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe	110
PID 3224 wrote to memory of 772	3224	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe	111

C:\Users\Admin\AppData\Local\Temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe
"C:\Users\Admin\AppData\Local\Temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
  c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
    c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
      c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4576
    - - \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
      - \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:772
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3864
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1112
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2396
        
        \??\c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe
        
        c:\users\admin\appdata\local\temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe

Filesize
240KB

MD5
70e09031ece1109a8ac84c6d23e349bc

SHA1
f353285241de331400e48a4e10475a88fe8e3482

SHA256
67cba7bb0b2e38a2a6b8816482f3e5ff7fb7aacc8ce13ecef426a3c18294d87a

SHA512
233bfd59f051cd63fe7c65fb1d942d572a5a150b2897ee788f6b3cf5cab7bfd26956c0f1af2a86591a41275fd3f227e4225bf48c255b69bf42fc34b5f216653d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe

Filesize
240KB

MD5
35e539fdb23bcafdff374081b4561603

SHA1
e3f288f9d33b41f87c25a7219d412be3e961fcc2

SHA256
f5a49ccfc6f0c34c0db30c080d265bac84c3fa3b42dfe58ab35c0247ffca519f

SHA512
e027bb54aab61c59ff77164897d2ee43313513f9093608c6809a3d75447ef2860b84cb49d8bb81fbdd49c241068ce5f1e47ffdf2b0f155f17e7576fe31fc6c74

Download Submit
memory/112-51-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/372-183-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/372-176-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/620-65-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/620-56-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/740-8-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/740-0-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/772-210-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/856-148-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1112-229-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1472-28-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1512-9-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1512-17-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1672-119-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1948-99-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2024-173-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2044-165-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2396-236-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2516-240-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3068-92-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3092-156-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3160-138-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3224-203-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3864-218-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4004-82-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4004-75-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4256-102-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4256-110-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4340-193-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4504-53-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4576-35-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5004-72-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5032-127-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202f.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202p.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202o.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202u.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202e.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202t.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202h.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202m.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202b.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202j.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202y.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202d.exe\""	3a41926d18c1f4ea1f7a590554f4f9eecf011d4cfc52e336221236c804e30d31_3202c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads