6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe
Size

245KB
MD5

cd2679cf087d0795944ffc4a1a4477d7
SHA1

00a401a3c3d097ffaba9b4343b648e4c368f5845
SHA256

6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05
SHA512

ec8d80f211e6404c30e6b6463656f3ab4c3cdc3d0476c0f705d373dd065086bd40bd67015dd74c2c828cd8e9af38f827d27d2b0301568e2c41343a33154e7592
SSDEEP

6144:9hbZ5hMTNFf8LAurlEzAX7o5hn8wVSZ2sX0g:vtXMzqrllX7618wc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
5028	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
4800	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
4988	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
4856	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
4144	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
4188	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
2384	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
1712	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
2892	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
2276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
564	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
1176	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
4172	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
752	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
3276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
4316	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
2308	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
2196	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
3600	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
2728	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
4736	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
892	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
2416	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
4548	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
1180	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe
2040	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fb4b4b5416d4abef	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 5028	4108	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe	85
PID 4108 wrote to memory of 5028	4108	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe	85
PID 4108 wrote to memory of 5028	4108	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe	85
PID 5028 wrote to memory of 4800	5028	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe	86
PID 5028 wrote to memory of 4800	5028	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe	86
PID 5028 wrote to memory of 4800	5028	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe	86
PID 4800 wrote to memory of 4988	4800	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe	87
PID 4800 wrote to memory of 4988	4800	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe	87
PID 4800 wrote to memory of 4988	4800	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe	87
PID 4988 wrote to memory of 4856	4988	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe	88
PID 4988 wrote to memory of 4856	4988	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe	88
PID 4988 wrote to memory of 4856	4988	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe	88
PID 4856 wrote to memory of 4144	4856	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe	89
PID 4856 wrote to memory of 4144	4856	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe	89
PID 4856 wrote to memory of 4144	4856	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe	89
PID 4144 wrote to memory of 4188	4144	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe	90
PID 4144 wrote to memory of 4188	4144	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe	90
PID 4144 wrote to memory of 4188	4144	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe	90
PID 4188 wrote to memory of 2384	4188	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe	91
PID 4188 wrote to memory of 2384	4188	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe	91
PID 4188 wrote to memory of 2384	4188	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe	91
PID 2384 wrote to memory of 1712	2384	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe	92
PID 2384 wrote to memory of 1712	2384	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe	92
PID 2384 wrote to memory of 1712	2384	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe	92
PID 1712 wrote to memory of 2892	1712	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe	93
PID 1712 wrote to memory of 2892	1712	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe	93
PID 1712 wrote to memory of 2892	1712	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe	93
PID 2892 wrote to memory of 2276	2892	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe	94
PID 2892 wrote to memory of 2276	2892	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe	94
PID 2892 wrote to memory of 2276	2892	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe	94
PID 2276 wrote to memory of 564	2276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe	95
PID 2276 wrote to memory of 564	2276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe	95
PID 2276 wrote to memory of 564	2276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe	95
PID 564 wrote to memory of 1176	564	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe	96
PID 564 wrote to memory of 1176	564	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe	96
PID 564 wrote to memory of 1176	564	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe	96
PID 1176 wrote to memory of 4172	1176	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe	97
PID 1176 wrote to memory of 4172	1176	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe	97
PID 1176 wrote to memory of 4172	1176	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe	97
PID 4172 wrote to memory of 752	4172	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe	98
PID 4172 wrote to memory of 752	4172	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe	98
PID 4172 wrote to memory of 752	4172	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe	98
PID 752 wrote to memory of 3276	752	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe	99
PID 752 wrote to memory of 3276	752	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe	99
PID 752 wrote to memory of 3276	752	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe	99
PID 3276 wrote to memory of 4316	3276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe	100
PID 3276 wrote to memory of 4316	3276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe	100
PID 3276 wrote to memory of 4316	3276	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe	100
PID 4316 wrote to memory of 2308	4316	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe	101
PID 4316 wrote to memory of 2308	4316	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe	101
PID 4316 wrote to memory of 2308	4316	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe	101
PID 2308 wrote to memory of 2196	2308	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe	102
PID 2308 wrote to memory of 2196	2308	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe	102
PID 2308 wrote to memory of 2196	2308	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe	102
PID 2196 wrote to memory of 3600	2196	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe	103
PID 2196 wrote to memory of 3600	2196	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe	103
PID 2196 wrote to memory of 3600	2196	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe	103
PID 3600 wrote to memory of 2728	3600	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe	104
PID 3600 wrote to memory of 2728	3600	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe	104
PID 3600 wrote to memory of 2728	3600	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe	104
PID 2728 wrote to memory of 4736	2728	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe	105
PID 2728 wrote to memory of 4736	2728	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe	105
PID 2728 wrote to memory of 4736	2728	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe	105
PID 4736 wrote to memory of 892	4736	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe	106

C:\Users\Admin\AppData\Local\Temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe
"C:\Users\Admin\AppData\Local\Temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108
- \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
  c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5028
- - \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
    c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
      c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4988
    - - \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:892
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2416
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4548
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1180
        
        \??\c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe
        
        c:\users\admin\appdata\local\temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe

Filesize
245KB

MD5
a951577fd6f55f47553595f04af9bb22

SHA1
3b81c895f9bb08eef4b73e5b1dc1b990ceed3d5b

SHA256
1150d9852fdfdefaa682dd7a71105aad6e0fdb155884f619e55d3a4175750fa9

SHA512
3f9026bc964c1b2a5fc19d492b48316ca96b5a3c3daa86a3de8f8caba10aab9d3f848def4e7d7783b982ea77f26daacaf536584696e12aad682a190f7422e978

Download Submit
C:\Users\Admin\AppData\Local\Temp\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe

Filesize
245KB

MD5
481d819a063e8b95c048fdfdfd9f8e22

SHA1
bbab7738e52f28c605d4e8ad0cf73ff30cae9bb7

SHA256
f46431d5bd650fdd9c9ba13935be1cb0dfa94b518501ab0e86f30d55975e35f9

SHA512
1571aa19ee92c9d676dee8680269717f00193afbe77175f77dbaf4db1fbc6da55aa0988b9f28b74d145a66b7d3a0f3496c1c9a561fd57ba0ab637484d86b638e

Download Submit
memory/564-110-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/752-138-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/892-213-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/892-222-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1176-112-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1176-121-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1180-243-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1712-93-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2040-245-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2196-175-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2276-99-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2276-103-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2308-167-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2384-81-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2416-223-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2728-196-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2728-188-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2892-89-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2892-248-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3276-149-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3600-178-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3600-186-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4108-9-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4108-0-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4144-48-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4144-64-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4172-132-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4172-128-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4188-57-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4188-247-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4316-157-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4548-233-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4736-207-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4736-198-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4800-25-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4800-36-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4856-45-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4988-29-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4988-246-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5028-19-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5028-15-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202m.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202q.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202h.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202c.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202p.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202f.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202l.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202u.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202y.exe\""	6834b3d1f05fc7c13764d28e5c85caa8b9c9ba52cf0b7c891ef35d3cfe640a05_3202x.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads