Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 00:08
Behavioral task
behavioral1
Sample
a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe
Resource
win10v2004-20240226-en
General
-
Target
a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe
-
Size
360KB
-
MD5
5734fa65edfa6c4e36b2f28d895a6ead
-
SHA1
61f2a6be3b86be4b2e220a77c0700b31f8316c34
-
SHA256
a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace
-
SHA512
edf56f844af0ead3080974c7f8a551cffe5a97399ee9817ab3bacbbd43ec0d47453cfeae467e1d8c34945ba7fa03b56b36981c1002cfded1df96a1a0ea715cfe
-
SSDEEP
6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sXUzQIL9:ZtXMzqrllX7XwfEIB
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 968 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe 3756 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe 1456 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe 1704 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe 2568 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe 3376 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe 4512 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe 4100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe 4344 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe 4972 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe 4636 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe 3320 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe 1696 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe 4516 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe 4652 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe 4208 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe 4064 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe 3660 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe 3900 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe 3532 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe 3120 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe 916 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe 1812 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe 412 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe 2144 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe 2660 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exe -
resource yara_rule behavioral2/memory/2100-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x000800000002321e-5.dat upx behavioral2/memory/968-8-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2100-15-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3756-27-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1456-34-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023224-36.dat upx behavioral2/memory/2568-45-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3376-60-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4100-79-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4972-105-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4636-114-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3320-116-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/968-124-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1696-125-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4344-88-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3376-65-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4512-64-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1704-42-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1696-128-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4516-139-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1456-137-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x00030000000228c0-149.dat upx behavioral2/memory/4652-146-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4208-150-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3660-169-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4512-171-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3900-195-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3532-199-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3120-200-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/files/0x0007000000023238-208.dat upx behavioral2/memory/916-216-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1812-225-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/1812-227-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/412-230-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2144-249-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2660-250-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/412-246-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2144-239-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3120-215-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4344-217-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/3660-187-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4100-185-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/2568-167-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4208-159-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral2/memory/4064-166-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exe\"" a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe -
Modifies registry class 54 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf1872ae8d2e68aa a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe Key created \REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 968 2100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe 86 PID 2100 wrote to memory of 968 2100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe 86 PID 2100 wrote to memory of 968 2100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe 86 PID 968 wrote to memory of 3756 968 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe 87 PID 968 wrote to memory of 3756 968 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe 87 PID 968 wrote to memory of 3756 968 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe 87 PID 3756 wrote to memory of 1456 3756 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe 89 PID 3756 wrote to memory of 1456 3756 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe 89 PID 3756 wrote to memory of 1456 3756 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe 89 PID 1456 wrote to memory of 1704 1456 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe 90 PID 1456 wrote to memory of 1704 1456 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe 90 PID 1456 wrote to memory of 1704 1456 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe 90 PID 1704 wrote to memory of 2568 1704 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe 91 PID 1704 wrote to memory of 2568 1704 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe 91 PID 1704 wrote to memory of 2568 1704 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe 91 PID 2568 wrote to memory of 3376 2568 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe 92 PID 2568 wrote to memory of 3376 2568 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe 92 PID 2568 wrote to memory of 3376 2568 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe 92 PID 3376 wrote to memory of 4512 3376 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe 93 PID 3376 wrote to memory of 4512 3376 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe 93 PID 3376 wrote to memory of 4512 3376 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe 93 PID 4512 wrote to memory of 4100 4512 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe 94 PID 4512 wrote to memory of 4100 4512 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe 94 PID 4512 wrote to memory of 4100 4512 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe 94 PID 4100 wrote to memory of 4344 4100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe 95 PID 4100 wrote to memory of 4344 4100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe 95 PID 4100 wrote to memory of 4344 4100 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe 95 PID 4344 wrote to memory of 4972 4344 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe 96 PID 4344 wrote to memory of 4972 4344 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe 96 PID 4344 wrote to memory of 4972 4344 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe 96 PID 4972 wrote to memory of 4636 4972 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe 97 PID 4972 wrote to memory of 4636 4972 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe 97 PID 4972 wrote to memory of 4636 4972 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe 97 PID 4636 wrote to memory of 3320 4636 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe 98 PID 4636 wrote to memory of 3320 4636 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe 98 PID 4636 wrote to memory of 3320 4636 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe 98 PID 3320 wrote to memory of 1696 3320 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe 99 PID 3320 wrote to memory of 1696 3320 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe 99 PID 3320 wrote to memory of 1696 3320 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe 99 PID 1696 wrote to memory of 4516 1696 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe 100 PID 1696 wrote to memory of 4516 1696 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe 100 PID 1696 wrote to memory of 4516 1696 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe 100 PID 4516 wrote to memory of 4652 4516 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe 101 PID 4516 wrote to memory of 4652 4516 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe 101 PID 4516 wrote to memory of 4652 4516 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe 101 PID 4652 wrote to memory of 4208 4652 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe 102 PID 4652 wrote to memory of 4208 4652 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe 102 PID 4652 wrote to memory of 4208 4652 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe 102 PID 4208 wrote to memory of 4064 4208 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe 103 PID 4208 wrote to memory of 4064 4208 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe 103 PID 4208 wrote to memory of 4064 4208 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe 103 PID 4064 wrote to memory of 3660 4064 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe 104 PID 4064 wrote to memory of 3660 4064 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe 104 PID 4064 wrote to memory of 3660 4064 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe 104 PID 3660 wrote to memory of 3900 3660 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe 105 PID 3660 wrote to memory of 3900 3660 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe 105 PID 3660 wrote to memory of 3900 3660 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe 105 PID 3900 wrote to memory of 3532 3900 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe 106 PID 3900 wrote to memory of 3532 3900 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe 106 PID 3900 wrote to memory of 3532 3900 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe 106 PID 3532 wrote to memory of 3120 3532 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe 107 PID 3532 wrote to memory of 3120 3532 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe 107 PID 3532 wrote to memory of 3120 3532 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe 107 PID 3120 wrote to memory of 916 3120 a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe"C:\Users\Admin\AppData\Local\Temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202a.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202b.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202d.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202e.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202f.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202g.exe9⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202h.exe10⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202i.exe11⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202j.exe12⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202k.exe13⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202l.exe14⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202m.exe15⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202n.exe16⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe17⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202p.exe18⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202q.exe19⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202r.exe20⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202s.exe21⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202t.exe22⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe23⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:916 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202v.exe24⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1812 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202w.exe25⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:412 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202x.exe26⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2144 -
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exec:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202y.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202.exe
Filesize360KB
MD57e6b4a3b7df69f2517eb1170cf5158ee
SHA18b792b75e06af14fab087bafaab85acb1bc7f9eb
SHA25696c97aa16eb90658ed82ca9d55695cf10e97c93f632ae671351055f92f180d2e
SHA512f3ab9fc830caff4c98f5136da57ef9bad76310505ac7c5e8c2103fe566e7b9ed82dadb8b51080956c9545b0d19f5e999180c26302fba7180c7b897929c17a028
-
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202c.exe
Filesize360KB
MD583fa96053ba4ec8c422de3950e95354a
SHA1fc14e2f01c046394bd1922e53bb4d64de57ed47f
SHA2566bde0d0b5e5811e10eb5c7f8d5ff381626f0e4b207ae2e15c0e25a8131c240e0
SHA512bd10e5d75f1bf583b4eca9a40e9664a5437147901eac705b47a041a1a14d7e927652760c4f4ee85acfd2a81fde03f5f2b53658c4121e54da8dd3b78ad22785d6
-
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202o.exe
Filesize360KB
MD53dc8e6aa5f533ef309ac2d4f01f5e145
SHA1255b11f6b2f460169f7d056dae0ed10d84834705
SHA25636a775f5923acc9c5cc2d5793ab879a61fb7f4e06a0179ed79e7c03ac3045bf1
SHA512f72b8d6d1835f0e787778f9a1583ec83df1e620248e34b83ef92b3d1db7e75e6eb70d9ebf9be2671a41442d87f6784505cda19748d94008604c7491ac5535f55
-
\??\c:\users\admin\appdata\local\temp\a862f4cca5f31d6dc7be5eac6106da3755d51c94d46fea67e4a59737006adace_3202u.exe
Filesize360KB
MD52b99a92825aa433201a7d40bb0dbc103
SHA125cc4e71960a3c6d1b3393dffd8a88769e07612d
SHA256ca6479dea6519093a685636e119fd904e37d9f74ab66395333623cc17adadbb0
SHA5128faccde6e39c561f799bcb59e6e1bc028172b95dfdec8ee99527a6e22df1d23fe8f2032b7023513164e8eaa8abce0da2db2bc9ce5b311b8965ff61fedd5b0fcc