68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
Size

244KB
MD5

d8795e1b93c01b950fe7995bf3a61738
SHA1

bfb1d053cd817b8f61c34327ab0a3890b8081673
SHA256

68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc
SHA512

6668d3abe9e3817c3b69d20e7a2de0042b2cc8fde3748be9fb49580ecd1c8911d7717159de8a6d69bc6aa12d3d1182d89ac68e6af41dab98e995e5f904646607
SSDEEP

6144:X42FMaP+6+tT/JBnjBE3XwfSZ4sXAzQI6F:IKbGlJBjBEnwTEI6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
1076	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
1188	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
1476	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
952	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
920	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
2428	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
2100	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
2200	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
2292	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
1980	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
1656	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
1076	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
1076	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
1188	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
1188	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
1476	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
1476	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
952	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
952	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
920	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
920	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
2428	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
2428	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
2100	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
2100	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
2200	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
2200	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
2292	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
2292	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
1980	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
1980	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x000b0000000144ac-28.dat	upx
behavioral1/memory/1600-21-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0009000000014825-38.dat	upx
behavioral1/memory/2932-35-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2632-43-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0009000000014825-44.dat	upx
behavioral1/files/0x0009000000014825-42.dat	upx
behavioral1/memory/2632-57-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2232-64-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0007000000014b31-58.dat	upx
behavioral1/files/0x0007000000014b70-71.dat	upx
behavioral1/memory/2232-73-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1864-74-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2012-90-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x000a000000014ef8-96.dat	upx
behavioral1/memory/2012-103-0x0000000001D60000-0x0000000001D9C000-memory.dmp	upx
behavioral1/files/0x000a000000014ef8-105.dat	upx
behavioral1/files/0x000a0000000155ed-111.dat	upx
behavioral1/memory/2696-140-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0007000000015605-162.dat	upx
behavioral1/files/0x0006000000015b6f-198.dat	upx
behavioral1/files/0x0006000000015c3d-213.dat	upx
behavioral1/memory/1188-254-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/920-289-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/920-294-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1656-351-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1980-350-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1980-340-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2292-339-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2292-334-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2200-328-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2200-323-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2100-316-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2100-306-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2428-305-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2428-300-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/952-283-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/952-277-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1476-271-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1476-267-0x0000000000250000-0x000000000028C000-memory.dmp	upx
behavioral1/memory/1476-265-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1188-259-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/680-235-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1076-243-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0006000000015c52-237.dat	upx
behavioral1/memory/680-227-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1944-220-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1944-212-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/3036-205-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/3036-197-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1716-183-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2984-176-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2340-155-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2696-147-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2716-133-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2716-119-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2996-117-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2012-102-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1864-87-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1720-13-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 45b190b0e7e14c8d	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1600	1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe	28
PID 1720 wrote to memory of 1600	1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe	28
PID 1720 wrote to memory of 1600	1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe	28
PID 1720 wrote to memory of 1600	1720	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe	28
PID 1600 wrote to memory of 2932	1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe	29
PID 1600 wrote to memory of 2932	1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe	29
PID 1600 wrote to memory of 2932	1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe	29
PID 1600 wrote to memory of 2932	1600	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe	29
PID 2932 wrote to memory of 2632	2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe	30
PID 2932 wrote to memory of 2632	2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe	30
PID 2932 wrote to memory of 2632	2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe	30
PID 2932 wrote to memory of 2632	2932	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe	30
PID 2632 wrote to memory of 2232	2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe	31
PID 2632 wrote to memory of 2232	2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe	31
PID 2632 wrote to memory of 2232	2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe	31
PID 2632 wrote to memory of 2232	2632	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe	31
PID 2232 wrote to memory of 1864	2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe	32
PID 2232 wrote to memory of 1864	2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe	32
PID 2232 wrote to memory of 1864	2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe	32
PID 2232 wrote to memory of 1864	2232	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe	32
PID 1864 wrote to memory of 2012	1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe	33
PID 1864 wrote to memory of 2012	1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe	33
PID 1864 wrote to memory of 2012	1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe	33
PID 1864 wrote to memory of 2012	1864	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe	33
PID 2012 wrote to memory of 2996	2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe	34
PID 2012 wrote to memory of 2996	2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe	34
PID 2012 wrote to memory of 2996	2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe	34
PID 2012 wrote to memory of 2996	2012	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe	34
PID 2996 wrote to memory of 2716	2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe	35
PID 2996 wrote to memory of 2716	2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe	35
PID 2996 wrote to memory of 2716	2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe	35
PID 2996 wrote to memory of 2716	2996	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe	35
PID 2716 wrote to memory of 2696	2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe	36
PID 2716 wrote to memory of 2696	2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe	36
PID 2716 wrote to memory of 2696	2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe	36
PID 2716 wrote to memory of 2696	2716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe	36
PID 2696 wrote to memory of 2340	2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe	37
PID 2696 wrote to memory of 2340	2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe	37
PID 2696 wrote to memory of 2340	2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe	37
PID 2696 wrote to memory of 2340	2696	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe	37
PID 2340 wrote to memory of 2984	2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe	38
PID 2340 wrote to memory of 2984	2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe	38
PID 2340 wrote to memory of 2984	2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe	38
PID 2340 wrote to memory of 2984	2340	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe	38
PID 2984 wrote to memory of 1716	2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe	39
PID 2984 wrote to memory of 1716	2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe	39
PID 2984 wrote to memory of 1716	2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe	39
PID 2984 wrote to memory of 1716	2984	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe	39
PID 1716 wrote to memory of 3036	1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe	40
PID 1716 wrote to memory of 3036	1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe	40
PID 1716 wrote to memory of 3036	1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe	40
PID 1716 wrote to memory of 3036	1716	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe	40
PID 3036 wrote to memory of 1944	3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe	41
PID 3036 wrote to memory of 1944	3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe	41
PID 3036 wrote to memory of 1944	3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe	41
PID 3036 wrote to memory of 1944	3036	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe	41
PID 1944 wrote to memory of 680	1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe	42
PID 1944 wrote to memory of 680	1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe	42
PID 1944 wrote to memory of 680	1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe	42
PID 1944 wrote to memory of 680	1944	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe	42
PID 680 wrote to memory of 1076	680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe	43
PID 680 wrote to memory of 1076	680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe	43
PID 680 wrote to memory of 1076	680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe	43
PID 680 wrote to memory of 1076	680	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
"C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
  c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1600
- - \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
    c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
      c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1076
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1188
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1476
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:952
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:920
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2428
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2100
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2200
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2292
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1980
        
        \??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe
        
        c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe

Filesize
244KB

MD5
cf53a7b915dd0a08785019bf36bf78a4

SHA1
2e9cc63b381fda74975fb4232a7408eb96f2f098

SHA256
c2947205ff333954722dbabd8831b7cab98df3b95ea2bd457be2b5792d166a0e

SHA512
af914a7cff0f51e03cf94b8e4990ce25f5493a5a3b05f5511ce2335a99ae3aac37c82c551d9c068de940f195b57a843120b268e01e288a5aee4b21bae392ea54

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe

Filesize
183KB

MD5
93550079c3cc50c1d378a003f2e77cec

SHA1
26d6b44fd5ca9c67e73604888020df7e85ffdb12

SHA256
cce693b360d20b9effa8ebca303cc480caa27ce38abee161168abb6f815684e9

SHA512
e1edbbdb48e03c4c5aa3d218942ac0da970876cae25591bce2be31c648438ea537eecb547d09ff44912454b964feb423231e269949efa76f2b9140db14bd9a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe

Filesize
138KB

MD5
bac40a9938107cec85dc00b633ef188f

SHA1
cbe5d5c2a6c07b2fc50cb57985513dc0028ed39c

SHA256
24314c922eb7c473d717d04501c54aa6cb59b10460502bca0e3128c76c9d707e

SHA512
dd98e59427f30a6296ff6a4a87b9540e0e23cc41235bed9339dc04cb08aa4bc0b5571e7f1b75ca9a6850497b2b038564b4f851c1b1a8f7c8a9fe64ebaf3953e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe

Filesize
45KB

MD5
e6eee1808dc76bb8cf858b2099ca10a2

SHA1
fadeee01bf41029c33ea77f207263b37e1bbf149

SHA256
9b51d0980ade641198df4c7cabec1da440f43c5798b0d9c4ecf53251b48c9635

SHA512
d34735ec7410a6f57fbccd2f497c5cb596875bee5a0f82b25974d110508f80b3488c603eb198884ac09aeda88f383c02f7d6476d0376ed72252cfc866968ecb6

Download Submit
\??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe

Filesize
168KB

MD5
a7e8d4c0e836fffe97a0fa70008ed15c

SHA1
b1909281989c5a11aea45b8e1ac3791f82f09a38

SHA256
c4fe9326b4b6ec20530a6704c3e41c4241d6082e95264ec814164a7bfcae9945

SHA512
9b9a830abbd25add925636bf0aff85baf497f2b3abd20dba15d4e8bc52d6347742073c0b62a890cf820b659a9ea51042652fd201af869e54d8d40d7c1f03b457

Download Submit
\??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe

Filesize
216KB

MD5
846057be95f2c98266cb1542c8694831

SHA1
eaa4a57005cc9c35179d442aa9ddfbb452acfa40

SHA256
d8feae36d13ba1f959229cefa27d7a9ac9a3dbb989ba5ff6d99afe86ec1eecaf

SHA512
7ffdcafbd472a1941018c905fa9935b444885ef91db62f567065bbe0eb82a011a11d862316b8bab7f8aaf416ea073633bbae450aa4597a93f559579bcca2fc6a

Download Submit
\??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe

Filesize
126KB

MD5
a32656db915531103cbc3baa8c932a38

SHA1
cf1d7264fc060d73b34ecbcacdd54397cdc76adc

SHA256
8671962ed7d82f5965556a8d2751a032e5b62bcaa784a4b8cec161385d044b75

SHA512
ae9247b78c2c710cecdfa45306191d0e3550c442de537232186893a5053bc9a5dee37234f01f7ed6c42fd8310708f98fb3b0095cf19461b5c1c5f5aa08890828

Download Submit
\??\c:\users\admin\appdata\local\temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe

Filesize
244KB

MD5
e12ea735cdd5a799b76bd58c99987eda

SHA1
2d55cb9bbe7f1401e64f5dd8589daf15c9f5c8d6

SHA256
79f442adccbeba37ac899a6a42604774ee66aeef1bdefa5ba80f65f866dc5e84

SHA512
d4bdb54ef639407d89261ee39f711467dbaacb9a4b064a80021d8feb0772107b3d759c63050d0558b06502e36aaa526ae7fd307bbd654c53e1901a69d9f3d9a2

Download Submit
\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe

Filesize
173KB

MD5
1e30a7429de7be7b8280a9798e937cbd

SHA1
3222a41cfef639c6e4fe3c1121234a63d2c30700

SHA256
80359672a1f3ace7823f15be22ffe08705a25101222c20cd8d614c57c6b6a112

SHA512
36887c8227356bf562f36b34ee6e2ae9b83bd0d669841748f1ae41abd162f73982d70854ab960d6dda36f6b0636d8162d01178b24bfa16311dd01bd0cf0b4e70

Download Submit
\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe

Filesize
123KB

MD5
470eb91e1454d19d7483d33f271b57ee

SHA1
f75e2d9cb414abb32a6ff4fc27176fe4485c5ac2

SHA256
aa86a20eeb1060cedcc8e82df4207d31abd1dec07a7e5567fe8b5e5e12385b70

SHA512
7ad156fcf2d61f0f3413e5d3d23c14542d50e523f1d8f290e0967ecc0fa05597bb1d54b149ab05543c6b8ee33639874b2f2756116760d0a881de62cd15346956

Download Submit
\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe

Filesize
138KB

MD5
7913d61f3295222656a5e00238794e1c

SHA1
d454b43b1f9cfcba1dbf015cd4c1e4ffc7ce9621

SHA256
8d3a63eaa53e7b5cf996236f433ce8053ab9ed4c150c4dd4fda392f471cc5956

SHA512
758aae2d1df363ea3a0bc36d5d9c0d91b8210a54b65b2253be275e7265032eff6fef6e79c041000664a84bec54a6142c4a74309c139408b7f090a790bef8cd54

Download Submit
\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe

Filesize
122KB

MD5
b505b468e4f605fb4c788b130b7e7111

SHA1
425d1ba63b6c17dd92ee1a9e897a11760e8fd468

SHA256
7b2fd5dfc90028146e243c23b00b810c98d4999dc90ecd8c29288caa6f46fe35

SHA512
088de7793c10d8d41ba10e4709d71fd3e33d857eb811f472ef701e645114c99e045b2ce4fbf51ed0d93d36d97ed49e3591a3af835418007bd34f41b6162ae3cc

Download Submit
\Users\Admin\AppData\Local\Temp\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe

Filesize
21KB

MD5
9f4ff2ce5e1324ba0a2d2fb25b8e30db

SHA1
5a42b8fd2117c0e4a1f38b08f74a1bbf2b4a0a48

SHA256
dc6ba784b71ee54a6523ba74b3246e15bdb62545d84b4df93840143d2a4787fb

SHA512
42b415aa608eafda0687e5f302d8ffbeae0b2a4c69768d0909998a5cf79bc64981b55ea7dd2632236e1b6a4b7c901c757b775b926e40d3400acfe891bb5e579c

Download Submit
memory/680-234-0x0000000001D40000-0x0000000001D7C000-memory.dmp

Filesize
240KB

Download
memory/680-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/680-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/952-282-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1076-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1188-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1188-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-267-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1476-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1716-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-12-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/1720-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1980-352-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1980-353-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1980-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-103-0x0000000001D60000-0x0000000001D9C000-memory.dmp

Filesize
240KB

Download
memory/2100-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2100-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2232-72-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2292-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2696-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2984-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202y.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202t.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202h.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202p.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202d.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202o.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202k.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202m.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202s.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202a.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202c.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202f.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202w.exe\""	68fa945a8b85f6f6caa7f910e6dbc48824ff9485073b609c1f59d1f0f0510afc_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads