fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
Size

438KB
MD5

b045d2348e15042c7b715e3972a32680
SHA1

73bf25ce706759bcc53b192b90ec73176bcd4b9d
SHA256

fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498
SHA512

f6242ba5b995e8141cac72ac31d5087b9acb982714697f8a3452d52a64636533c33a28d46d556c9515c83ea49dc72bf39b0c39c349d7a031a11462c710c6954a
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bl4rKE:Os52hzpHq8eTi30yIQrDl8

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 33 IoCs

resource	yara_rule
behavioral1/memory/2848-12-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/3064-15-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/3064-29-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2684-45-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2524-61-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2544-75-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2528-78-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2528-91-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1204-106-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/240-122-0x0000000001DC0000-0x0000000001E39000-memory.dmp	UPX
behavioral1/memory/2724-130-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/240-121-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2724-137-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/944-161-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2500-152-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/944-168-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2004-184-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2668-200-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2280-215-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2084-230-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2116-245-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1812-260-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1916-271-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/696-281-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1964-293-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1224-304-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2064-323-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/3068-316-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2064-328-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/704-341-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2332-352-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1692-363-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2616-365-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 26 IoCs

pid	Process
3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
1812	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
1916	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
696	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
1964	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
1224	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
3068	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
2064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
704	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
2332	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
1692	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
2616	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
1812	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
1812	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
1916	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
1916	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
696	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
696	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
1964	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
1964	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
1224	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
1224	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
3068	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
3068	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
2064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
2064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
704	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
704	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
2332	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
2332	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
1692	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
1692	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2ad3e8404022d721	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3064	2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe	28
PID 2848 wrote to memory of 3064	2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe	28
PID 2848 wrote to memory of 3064	2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe	28
PID 2848 wrote to memory of 3064	2848	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe	28
PID 3064 wrote to memory of 2684	3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe	29
PID 3064 wrote to memory of 2684	3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe	29
PID 3064 wrote to memory of 2684	3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe	29
PID 3064 wrote to memory of 2684	3064	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe	29
PID 2684 wrote to memory of 2524	2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe	30
PID 2684 wrote to memory of 2524	2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe	30
PID 2684 wrote to memory of 2524	2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe	30
PID 2684 wrote to memory of 2524	2684	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe	30
PID 2524 wrote to memory of 2544	2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe	31
PID 2524 wrote to memory of 2544	2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe	31
PID 2524 wrote to memory of 2544	2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe	31
PID 2524 wrote to memory of 2544	2524	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe	31
PID 2544 wrote to memory of 2528	2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe	32
PID 2544 wrote to memory of 2528	2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe	32
PID 2544 wrote to memory of 2528	2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe	32
PID 2544 wrote to memory of 2528	2544	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe	32
PID 2528 wrote to memory of 1204	2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe	33
PID 2528 wrote to memory of 1204	2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe	33
PID 2528 wrote to memory of 1204	2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe	33
PID 2528 wrote to memory of 1204	2528	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe	33
PID 1204 wrote to memory of 240	1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe	34
PID 1204 wrote to memory of 240	1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe	34
PID 1204 wrote to memory of 240	1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe	34
PID 1204 wrote to memory of 240	1204	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe	34
PID 240 wrote to memory of 2724	240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe	35
PID 240 wrote to memory of 2724	240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe	35
PID 240 wrote to memory of 2724	240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe	35
PID 240 wrote to memory of 2724	240	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe	35
PID 2724 wrote to memory of 2500	2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe	36
PID 2724 wrote to memory of 2500	2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe	36
PID 2724 wrote to memory of 2500	2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe	36
PID 2724 wrote to memory of 2500	2724	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe	36
PID 2500 wrote to memory of 944	2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe	37
PID 2500 wrote to memory of 944	2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe	37
PID 2500 wrote to memory of 944	2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe	37
PID 2500 wrote to memory of 944	2500	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe	37
PID 944 wrote to memory of 2004	944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe	38
PID 944 wrote to memory of 2004	944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe	38
PID 944 wrote to memory of 2004	944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe	38
PID 944 wrote to memory of 2004	944	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe	38
PID 2004 wrote to memory of 2668	2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe	39
PID 2004 wrote to memory of 2668	2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe	39
PID 2004 wrote to memory of 2668	2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe	39
PID 2004 wrote to memory of 2668	2004	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe	39
PID 2668 wrote to memory of 2280	2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe	40
PID 2668 wrote to memory of 2280	2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe	40
PID 2668 wrote to memory of 2280	2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe	40
PID 2668 wrote to memory of 2280	2668	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe	40
PID 2280 wrote to memory of 2084	2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe	41
PID 2280 wrote to memory of 2084	2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe	41
PID 2280 wrote to memory of 2084	2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe	41
PID 2280 wrote to memory of 2084	2280	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe	41
PID 2084 wrote to memory of 2116	2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe	42
PID 2084 wrote to memory of 2116	2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe	42
PID 2084 wrote to memory of 2116	2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe	42
PID 2084 wrote to memory of 2116	2084	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe	42
PID 2116 wrote to memory of 1812	2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe	43
PID 2116 wrote to memory of 1812	2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe	43
PID 2116 wrote to memory of 1812	2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe	43
PID 2116 wrote to memory of 1812	2116	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
"C:\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
  c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3064
- - \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
    c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
      c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1812
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1916
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:696
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1964
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1224
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:3068
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2064
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:704
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2332
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1692
        
        \??\c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe
        
        c:\users\admin\appdata\local\temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe

Filesize
438KB

MD5
fcceb2ad45bb299657c4a3844eb92546

SHA1
6e471fe6cd8c9031922f289c3e9ee466b83d8444

SHA256
69e0a68ab6f652b05cb26684e7e8969054041719f02b435007748be861b78370

SHA512
a459e9528b56118554d0e84c03992a499b1172c65d4a90b0d0fdd378e2a14106a639ead9ccfa4fe13f689106ddbebf85943e45e2cd7705e7a1174136660098f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe

Filesize
440KB

MD5
daf0caf4a2ae857b878967da29739719

SHA1
5e3a0da056f4165f4aab5d285f8aaa0900db2d87

SHA256
79180859b6c523361057e4ff344db4b08f2c2537d1dae9235bff4393bb632899

SHA512
a04ca67318a525d1d5c1501adb982952b18091ba37eea98a134f9921514ff5a51f03212c78c39af9159359d81392bebc5bd6a9f5edcf44de7f8e4c4d798057c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe

Filesize
440KB

MD5
ccbe88bfb5512427707b9a320442ba34

SHA1
57792d6070050b0e4231242d5edaf7250e89114f

SHA256
5de7e1455403e75741158046b8f3b806dd2000220d1358bc55f74c4b527d5c59

SHA512
048700bfd9d52f3fe3e79920dd52988b87220a520ff792fc91761d18f1691861a0c0c0221e99c2a26437166f4b83f3ca9ba7b0650bab108365955f512863e805

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe

Filesize
438KB

MD5
2f1849ff74bc4e84498f1b89f8006b02

SHA1
ae7969ccd79fddd962c5bfd8533df6999ac8c34d

SHA256
97b67993847414501d4fbdfa0187fb16418e94faf0de610a196587c9b1011916

SHA512
65bb6b609361e1ee270e9382971f3824037d70e0d5a6b8fc37a3c1bb3bc2a7235a4654551108dc8dc28d0bc0d06759f17232da2c5649c9b258bfec3909259d34

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe

Filesize
438KB

MD5
7ced7c219316e49d45207844385d34a2

SHA1
05ed52e636448cb4dc34e6e2e81d4c6f31d75263

SHA256
49c8462e9197c7595bcfd788572e0ca23d5fe8d6f4ea4f5ce6448e110e7ef82a

SHA512
65fc791d32362ae0e5b5624bf97f9538282a24f30ad57d4c06705824104e44cc43e8e30571bbf2a248c2ec9fa370298ba529d9136104753dd48fde6602c87479

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe

Filesize
439KB

MD5
22c535cf7c242b6c2650cc761f9cbd91

SHA1
b5b8c2559f551a44414465433f774f5305a8cefa

SHA256
14d65ab465cfe080b954da2e44dd23d4a8b4be99c4ca7965fb10adcc93ac4fce

SHA512
5ff22cb1f1b8dec90535b02c3019ae221fa0a4a7b1c42ae6bbba5253ff3f37290e1cd960b712c63e6ed2ab47070b9b3af79fc36b191f1a7a5176444f946322d5

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe

Filesize
439KB

MD5
0e5a3d819b2e84ddce16087152a4444f

SHA1
045493334e2e8c53ee76285e75feca484d551236

SHA256
be59876e7d99ce03adad25ed966a0c19bdbe16dd4d2dfd98ed3d13772b62379f

SHA512
cad31494cbb9d3ea4ace1560592c490b6e5ba5e2fd1e9a934f883c41a7f2a44b2ee4e4d160d13e558066388107c1748bf34616bfc5c46379d3e77d72704ae9e1

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe

Filesize
439KB

MD5
07bc6c32f813a4ab48b51cb581b3a3a0

SHA1
4ac8964597aaeb4b984e49bba4cc45d8afb305b9

SHA256
751c8d36b7b0c664c739ed1609400eb85566a88c5668746203562a553be95b39

SHA512
ff064b923d55252b418fbd595d6cd695054bd78011c53f1182d7daa6f4603b4fe7706b57a4de1629e32cf4acf348351410fc8939186233d0274ebdffde0ca0d2

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe

Filesize
439KB

MD5
35f5eff789f07cbe2a3d2cef28ada9b0

SHA1
b1e75f0683d1514c9caf12ad94d096517c678802

SHA256
4345a3732060cc376149a40c046be457789126227e13c39367d4953fd6e31dae

SHA512
ddf1dc361e2d196d2d945a0e9cf4efa928b4b14c045b4e0414c65da20c7d0b7a12e91d1eb80e6abdc455a9bee670c5990f1379c5aa77e9fb460b65f299f41bdf

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe

Filesize
440KB

MD5
81e11e79b6e26481b879ccef8c137e6f

SHA1
717f223a9e731b82ef034e8605392112d6c5d776

SHA256
c324700b90fb73255630cbe843d07412a72473178c8cb5f7784923a36b2294d8

SHA512
a29ffd56c619602c0fc693382080b58e4906f5df677194cbecd0e5395a47f4e6ae13cb30ce1401dbe90d36ded05985c9501d815af28caea5a88672238f300bfa

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe

Filesize
440KB

MD5
5bcd4afe487344db6fde6447ff0ef79c

SHA1
80fb967a82bc2993c23df5fda9c71832a3a3d07d

SHA256
09b159f52b8845f2e6d4cf97dc81c91ef7ad76587cb274de0089154bfad2348c

SHA512
c2c3b40df9bcdb554cf1a5f61e99a7511542de66028cde90656a0667ab40dfa0fdf1d726dbf9d5ab083c3b29a0b98c7bd78e443de74f5c359eda7d4223481fc2

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe

Filesize
440KB

MD5
9561618bd1b259222266843b6ae93eda

SHA1
922a3bf40fb8b47d642220f635e9977226830e07

SHA256
2e229ce13ce025cb5e078e92a202c614db8e21584e8086afd6120b559f6d2b2e

SHA512
31847b4ed984c3321aa2ecb131586b1f49af6aede8cbc2d349b501690d0fb2736a65e354c23d19d95055f6719b15df5b4c80edda34b13d7cd48c919ae57e41b0

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe

Filesize
128KB

MD5
0d97077c11ae2026246e065e3899f5c7

SHA1
971d4364e7a0b075b68558a4a3b584e0b30e8533

SHA256
ca1e90c13005f618e18ded30a346d577c5640d237e1dd529149d50533753134a

SHA512
35991a631ef6828ede35ddd7c4a05129304b0173a6bf6ff4407e0d4acb137503533fdc7c6f240caa10fc2803d0977996434f5dccca051d93d23d8d3a3da8d006

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe

Filesize
441KB

MD5
47a21b677b1359edf0a93a1c29aafe03

SHA1
9f678bd9f99c97cc33b532b987ef91ff679ab502

SHA256
c0ec63617bad7c3f364e1a9dff54578824066f406a43e3ca9a53e13e8d994c1b

SHA512
07d6bfae1897bbbe7232230c58ec4c4abb79c8d0af7df46c6b633c0d682fe1cbab275e89e69c4b0ddf746ffe384a831e7be2548bb0837acf9452081bc7547a54

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe

Filesize
441KB

MD5
b2d2925c8001a137d0e3491a03306142

SHA1
22e5089821110b206377f0519f4917b5ae693566

SHA256
df48e105adcb991995996e378e20a9407da072aff52d24176bd86c570a792b5b

SHA512
1b5e1cd1ef80be662b81b8b8c7e03cb5d5fbf633a9b341ffa830b4b206424b74216caff2039bb3506e86c3041e0c783f7cd1d0b8a16251908f86da6b5ad78f25

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe

Filesize
441KB

MD5
32edb7c02f4195fe64933522584bb7b4

SHA1
56e77fe57225e29030133c72d5b5b1fa75a4ebef

SHA256
000f02c612a2ac4da2b0e39b538f87659a509334309221ccda838b962dfc6e2c

SHA512
79148e6152f0ce31c60f2bf9f54b02932f6f7050dc87351b2d383eee7afeec55cf4161176cbabe5ecd01c2685f8637f627adef2f6c60241398b0e9eb4f918a3d

Download Submit
\Users\Admin\AppData\Local\Temp\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe

Filesize
441KB

MD5
84ae85ee4647d1d70303bf28c7de6de3

SHA1
bccfce1cd3eb27cb6e0d25cf1be4d79a4ec83cf3

SHA256
f736fe14d8517022670473518add5b52fde7fd7d80aa9f6b0b5e14f05838a25c

SHA512
c4255e1604d4b1c3db11ec1ebbaccaeb1c8c518944e7f5dec28327c3cf5baff9922e04d8fe3129524bf2ba48ed8efadf361ea59b2b1a957fca6895c680594332

Download Submit
memory/240-122-0x0000000001DC0000-0x0000000001E39000-memory.dmp

Filesize
484KB

Download
memory/240-121-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/240-108-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/696-281-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/696-282-0x0000000001D30000-0x0000000001DA9000-memory.dmp

Filesize
484KB

Download
memory/704-330-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/704-341-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/704-340-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/944-168-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-161-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/944-170-0x0000000001D90000-0x0000000001E09000-memory.dmp

Filesize
484KB

Download
memory/944-246-0x0000000001D90000-0x0000000001E09000-memory.dmp

Filesize
484KB

Download
memory/1204-93-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1204-106-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1224-304-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1224-294-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1692-363-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1692-353-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1812-260-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1916-271-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1916-261-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1964-293-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1964-283-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2004-184-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2004-183-0x0000000001E20000-0x0000000001E99000-memory.dmp

Filesize
484KB

Download
memory/2064-328-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-323-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-329-0x0000000000320000-0x0000000000399000-memory.dmp

Filesize
484KB

Download
memory/2084-230-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2084-217-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-305-0x00000000020C0000-0x0000000002139000-memory.dmp

Filesize
484KB

Download
memory/2116-232-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-245-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-248-0x00000000020C0000-0x0000000002139000-memory.dmp

Filesize
484KB

Download
memory/2280-202-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2280-215-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-342-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2332-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2500-152-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2500-153-0x00000000007F0000-0x0000000000869000-memory.dmp

Filesize
484KB

Download
memory/2524-61-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2524-46-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2524-55-0x0000000001DF0000-0x0000000001E69000-memory.dmp

Filesize
484KB

Download
memory/2528-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2528-78-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2544-75-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2544-139-0x0000000002100000-0x0000000002179000-memory.dmp

Filesize
484KB

Download
memory/2544-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2544-76-0x0000000002100000-0x0000000002179000-memory.dmp

Filesize
484KB

Download
memory/2616-365-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2616-364-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2668-200-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2668-195-0x0000000002120000-0x0000000002199000-memory.dmp

Filesize
484KB

Download
memory/2668-186-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2684-45-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2684-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-137-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-12-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-13-0x0000000000500000-0x0000000000579000-memory.dmp

Filesize
484KB

Download
memory/3064-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3064-28-0x0000000000320000-0x0000000000399000-memory.dmp

Filesize
484KB

Download
memory/3064-29-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3068-316-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3068-317-0x0000000000510000-0x0000000000589000-memory.dmp

Filesize
484KB

Download
memory/3068-306-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202d.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202g.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202i.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202y.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202f.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202k.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202m.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202w.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202q.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202u.exe\""	fc6dfecb327c0438747937c43fd8c06da61870ba721255a47d0f83eb13cdc498_3202t.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads