0c873f499e3fe5d412d7dc61ebaa17fcacf71031ff1521c329b509adb2de236c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

669163c950d22460542d4cfce2489c4e.exe
Size

244KB
MD5

669163c950d22460542d4cfce2489c4e
SHA1

75dd0ad534f687b1ac0a7e8b52022739d99a97b6
SHA256

0c873f499e3fe5d412d7dc61ebaa17fcacf71031ff1521c329b509adb2de236c
SHA512

6e233719db3dbeedc40ea0b025968c1758a89642c4847ada333411c3abe40359e324a00caa6d3be84785b0583bf232fb805b9a4c3a0afb34a25dacc7eb0847db
SSDEEP

6144:X42FMaP+6+tT/JBnjBE3XwfSZ4sXyzQI6F:IKbGlJBjBEnwxEI6

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2852	669163c950d22460542d4cfce2489c4e_3202.exe
3004	669163c950d22460542d4cfce2489c4e_3202a.exe
2688	669163c950d22460542d4cfce2489c4e_3202b.exe
2720	669163c950d22460542d4cfce2489c4e_3202c.exe
2712	669163c950d22460542d4cfce2489c4e_3202d.exe
2508	669163c950d22460542d4cfce2489c4e_3202e.exe
2360	669163c950d22460542d4cfce2489c4e_3202f.exe
2724	669163c950d22460542d4cfce2489c4e_3202g.exe
1820	669163c950d22460542d4cfce2489c4e_3202h.exe
1940	669163c950d22460542d4cfce2489c4e_3202i.exe
2216	669163c950d22460542d4cfce2489c4e_3202j.exe
2328	669163c950d22460542d4cfce2489c4e_3202k.exe
2120	669163c950d22460542d4cfce2489c4e_3202l.exe
2804	669163c950d22460542d4cfce2489c4e_3202m.exe
1832	669163c950d22460542d4cfce2489c4e_3202n.exe
584	669163c950d22460542d4cfce2489c4e_3202o.exe
2032	669163c950d22460542d4cfce2489c4e_3202p.exe
1092	669163c950d22460542d4cfce2489c4e_3202q.exe
1784	669163c950d22460542d4cfce2489c4e_3202r.exe
1616	669163c950d22460542d4cfce2489c4e_3202s.exe
764	669163c950d22460542d4cfce2489c4e_3202t.exe
2920	669163c950d22460542d4cfce2489c4e_3202u.exe
292	669163c950d22460542d4cfce2489c4e_3202v.exe
1748	669163c950d22460542d4cfce2489c4e_3202w.exe
2336	669163c950d22460542d4cfce2489c4e_3202x.exe
1128	669163c950d22460542d4cfce2489c4e_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
3024	669163c950d22460542d4cfce2489c4e.exe
3024	669163c950d22460542d4cfce2489c4e.exe
2852	669163c950d22460542d4cfce2489c4e_3202.exe
2852	669163c950d22460542d4cfce2489c4e_3202.exe
3004	669163c950d22460542d4cfce2489c4e_3202a.exe
3004	669163c950d22460542d4cfce2489c4e_3202a.exe
2688	669163c950d22460542d4cfce2489c4e_3202b.exe
2688	669163c950d22460542d4cfce2489c4e_3202b.exe
2720	669163c950d22460542d4cfce2489c4e_3202c.exe
2720	669163c950d22460542d4cfce2489c4e_3202c.exe
2712	669163c950d22460542d4cfce2489c4e_3202d.exe
2712	669163c950d22460542d4cfce2489c4e_3202d.exe
2508	669163c950d22460542d4cfce2489c4e_3202e.exe
2508	669163c950d22460542d4cfce2489c4e_3202e.exe
2360	669163c950d22460542d4cfce2489c4e_3202f.exe
2360	669163c950d22460542d4cfce2489c4e_3202f.exe
2724	669163c950d22460542d4cfce2489c4e_3202g.exe
2724	669163c950d22460542d4cfce2489c4e_3202g.exe
1820	669163c950d22460542d4cfce2489c4e_3202h.exe
1820	669163c950d22460542d4cfce2489c4e_3202h.exe
1940	669163c950d22460542d4cfce2489c4e_3202i.exe
1940	669163c950d22460542d4cfce2489c4e_3202i.exe
2216	669163c950d22460542d4cfce2489c4e_3202j.exe
2216	669163c950d22460542d4cfce2489c4e_3202j.exe
2328	669163c950d22460542d4cfce2489c4e_3202k.exe
2328	669163c950d22460542d4cfce2489c4e_3202k.exe
2120	669163c950d22460542d4cfce2489c4e_3202l.exe
2120	669163c950d22460542d4cfce2489c4e_3202l.exe
2804	669163c950d22460542d4cfce2489c4e_3202m.exe
2804	669163c950d22460542d4cfce2489c4e_3202m.exe
1832	669163c950d22460542d4cfce2489c4e_3202n.exe
1832	669163c950d22460542d4cfce2489c4e_3202n.exe
584	669163c950d22460542d4cfce2489c4e_3202o.exe
584	669163c950d22460542d4cfce2489c4e_3202o.exe
2032	669163c950d22460542d4cfce2489c4e_3202p.exe
2032	669163c950d22460542d4cfce2489c4e_3202p.exe
1092	669163c950d22460542d4cfce2489c4e_3202q.exe
1092	669163c950d22460542d4cfce2489c4e_3202q.exe
1784	669163c950d22460542d4cfce2489c4e_3202r.exe
1784	669163c950d22460542d4cfce2489c4e_3202r.exe
1616	669163c950d22460542d4cfce2489c4e_3202s.exe
1616	669163c950d22460542d4cfce2489c4e_3202s.exe
764	669163c950d22460542d4cfce2489c4e_3202t.exe
764	669163c950d22460542d4cfce2489c4e_3202t.exe
2920	669163c950d22460542d4cfce2489c4e_3202u.exe
2920	669163c950d22460542d4cfce2489c4e_3202u.exe
292	669163c950d22460542d4cfce2489c4e_3202v.exe
292	669163c950d22460542d4cfce2489c4e_3202v.exe
1748	669163c950d22460542d4cfce2489c4e_3202w.exe
1748	669163c950d22460542d4cfce2489c4e_3202w.exe
2336	669163c950d22460542d4cfce2489c4e_3202x.exe
2336	669163c950d22460542d4cfce2489c4e_3202x.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x000b00000001224e-2.dat	upx
behavioral1/memory/3024-13-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/3024-12-0x0000000001C20000-0x0000000001C5C000-memory.dmp	upx
behavioral1/memory/3004-42-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2688-50-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2852-28-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2720-71-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2712-79-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2508-93-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2508-101-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2360-111-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/files/0x0006000000015c7c-123.dat	upx
behavioral1/memory/2724-126-0x00000000002D0000-0x000000000030C000-memory.dmp	upx
behavioral1/memory/2724-130-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1820-145-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1940-152-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1940-160-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2216-168-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2216-176-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2328-184-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2328-192-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2120-199-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2120-207-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2804-215-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2804-223-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1832-239-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/584-247-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1832-233-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/584-253-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2032-259-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1092-271-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2032-265-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1092-277-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1784-284-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1616-289-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1616-300-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/764-307-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/764-312-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2920-318-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2920-324-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/292-330-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2920-320-0x0000000000340000-0x000000000037C000-memory.dmp	upx
behavioral1/memory/292-336-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1748-342-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2336-354-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1748-347-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/2336-359-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral1/memory/1128-360-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202a.exe\""	669163c950d22460542d4cfce2489c4e_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202c.exe\""	669163c950d22460542d4cfce2489c4e_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202l.exe\""	669163c950d22460542d4cfce2489c4e_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202k.exe\""	669163c950d22460542d4cfce2489c4e_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202m.exe\""	669163c950d22460542d4cfce2489c4e_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202p.exe\""	669163c950d22460542d4cfce2489c4e_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202s.exe\""	669163c950d22460542d4cfce2489c4e_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202v.exe\""	669163c950d22460542d4cfce2489c4e_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202y.exe\""	669163c950d22460542d4cfce2489c4e_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202f.exe\""	669163c950d22460542d4cfce2489c4e_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202i.exe\""	669163c950d22460542d4cfce2489c4e_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202n.exe\""	669163c950d22460542d4cfce2489c4e_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202q.exe\""	669163c950d22460542d4cfce2489c4e_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202t.exe\""	669163c950d22460542d4cfce2489c4e_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202u.exe\""	669163c950d22460542d4cfce2489c4e_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202w.exe\""	669163c950d22460542d4cfce2489c4e_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202b.exe\""	669163c950d22460542d4cfce2489c4e_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202j.exe\""	669163c950d22460542d4cfce2489c4e_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202r.exe\""	669163c950d22460542d4cfce2489c4e_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202d.exe\""	669163c950d22460542d4cfce2489c4e_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202g.exe\""	669163c950d22460542d4cfce2489c4e_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202e.exe\""	669163c950d22460542d4cfce2489c4e_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202h.exe\""	669163c950d22460542d4cfce2489c4e_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202x.exe\""	669163c950d22460542d4cfce2489c4e_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202.exe\""	669163c950d22460542d4cfce2489c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\669163c950d22460542d4cfce2489c4e_3202o.exe\""	669163c950d22460542d4cfce2489c4e_3202n.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 12bdb6c5dd464444	669163c950d22460542d4cfce2489c4e_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	669163c950d22460542d4cfce2489c4e_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2852	3024	669163c950d22460542d4cfce2489c4e.exe	28
PID 3024 wrote to memory of 2852	3024	669163c950d22460542d4cfce2489c4e.exe	28
PID 3024 wrote to memory of 2852	3024	669163c950d22460542d4cfce2489c4e.exe	28
PID 3024 wrote to memory of 2852	3024	669163c950d22460542d4cfce2489c4e.exe	28
PID 2852 wrote to memory of 3004	2852	669163c950d22460542d4cfce2489c4e_3202.exe	29
PID 2852 wrote to memory of 3004	2852	669163c950d22460542d4cfce2489c4e_3202.exe	29
PID 2852 wrote to memory of 3004	2852	669163c950d22460542d4cfce2489c4e_3202.exe	29
PID 2852 wrote to memory of 3004	2852	669163c950d22460542d4cfce2489c4e_3202.exe	29
PID 3004 wrote to memory of 2688	3004	669163c950d22460542d4cfce2489c4e_3202a.exe	30
PID 3004 wrote to memory of 2688	3004	669163c950d22460542d4cfce2489c4e_3202a.exe	30
PID 3004 wrote to memory of 2688	3004	669163c950d22460542d4cfce2489c4e_3202a.exe	30
PID 3004 wrote to memory of 2688	3004	669163c950d22460542d4cfce2489c4e_3202a.exe	30
PID 2688 wrote to memory of 2720	2688	669163c950d22460542d4cfce2489c4e_3202b.exe	31
PID 2688 wrote to memory of 2720	2688	669163c950d22460542d4cfce2489c4e_3202b.exe	31
PID 2688 wrote to memory of 2720	2688	669163c950d22460542d4cfce2489c4e_3202b.exe	31
PID 2688 wrote to memory of 2720	2688	669163c950d22460542d4cfce2489c4e_3202b.exe	31
PID 2720 wrote to memory of 2712	2720	669163c950d22460542d4cfce2489c4e_3202c.exe	32
PID 2720 wrote to memory of 2712	2720	669163c950d22460542d4cfce2489c4e_3202c.exe	32
PID 2720 wrote to memory of 2712	2720	669163c950d22460542d4cfce2489c4e_3202c.exe	32
PID 2720 wrote to memory of 2712	2720	669163c950d22460542d4cfce2489c4e_3202c.exe	32
PID 2712 wrote to memory of 2508	2712	669163c950d22460542d4cfce2489c4e_3202d.exe	33
PID 2712 wrote to memory of 2508	2712	669163c950d22460542d4cfce2489c4e_3202d.exe	33
PID 2712 wrote to memory of 2508	2712	669163c950d22460542d4cfce2489c4e_3202d.exe	33
PID 2712 wrote to memory of 2508	2712	669163c950d22460542d4cfce2489c4e_3202d.exe	33
PID 2508 wrote to memory of 2360	2508	669163c950d22460542d4cfce2489c4e_3202e.exe	34
PID 2508 wrote to memory of 2360	2508	669163c950d22460542d4cfce2489c4e_3202e.exe	34
PID 2508 wrote to memory of 2360	2508	669163c950d22460542d4cfce2489c4e_3202e.exe	34
PID 2508 wrote to memory of 2360	2508	669163c950d22460542d4cfce2489c4e_3202e.exe	34
PID 2360 wrote to memory of 2724	2360	669163c950d22460542d4cfce2489c4e_3202f.exe	35
PID 2360 wrote to memory of 2724	2360	669163c950d22460542d4cfce2489c4e_3202f.exe	35
PID 2360 wrote to memory of 2724	2360	669163c950d22460542d4cfce2489c4e_3202f.exe	35
PID 2360 wrote to memory of 2724	2360	669163c950d22460542d4cfce2489c4e_3202f.exe	35
PID 2724 wrote to memory of 1820	2724	669163c950d22460542d4cfce2489c4e_3202g.exe	36
PID 2724 wrote to memory of 1820	2724	669163c950d22460542d4cfce2489c4e_3202g.exe	36
PID 2724 wrote to memory of 1820	2724	669163c950d22460542d4cfce2489c4e_3202g.exe	36
PID 2724 wrote to memory of 1820	2724	669163c950d22460542d4cfce2489c4e_3202g.exe	36
PID 1820 wrote to memory of 1940	1820	669163c950d22460542d4cfce2489c4e_3202h.exe	37
PID 1820 wrote to memory of 1940	1820	669163c950d22460542d4cfce2489c4e_3202h.exe	37
PID 1820 wrote to memory of 1940	1820	669163c950d22460542d4cfce2489c4e_3202h.exe	37
PID 1820 wrote to memory of 1940	1820	669163c950d22460542d4cfce2489c4e_3202h.exe	37
PID 1940 wrote to memory of 2216	1940	669163c950d22460542d4cfce2489c4e_3202i.exe	38
PID 1940 wrote to memory of 2216	1940	669163c950d22460542d4cfce2489c4e_3202i.exe	38
PID 1940 wrote to memory of 2216	1940	669163c950d22460542d4cfce2489c4e_3202i.exe	38
PID 1940 wrote to memory of 2216	1940	669163c950d22460542d4cfce2489c4e_3202i.exe	38
PID 2216 wrote to memory of 2328	2216	669163c950d22460542d4cfce2489c4e_3202j.exe	39
PID 2216 wrote to memory of 2328	2216	669163c950d22460542d4cfce2489c4e_3202j.exe	39
PID 2216 wrote to memory of 2328	2216	669163c950d22460542d4cfce2489c4e_3202j.exe	39
PID 2216 wrote to memory of 2328	2216	669163c950d22460542d4cfce2489c4e_3202j.exe	39
PID 2328 wrote to memory of 2120	2328	669163c950d22460542d4cfce2489c4e_3202k.exe	40
PID 2328 wrote to memory of 2120	2328	669163c950d22460542d4cfce2489c4e_3202k.exe	40
PID 2328 wrote to memory of 2120	2328	669163c950d22460542d4cfce2489c4e_3202k.exe	40
PID 2328 wrote to memory of 2120	2328	669163c950d22460542d4cfce2489c4e_3202k.exe	40
PID 2120 wrote to memory of 2804	2120	669163c950d22460542d4cfce2489c4e_3202l.exe	41
PID 2120 wrote to memory of 2804	2120	669163c950d22460542d4cfce2489c4e_3202l.exe	41
PID 2120 wrote to memory of 2804	2120	669163c950d22460542d4cfce2489c4e_3202l.exe	41
PID 2120 wrote to memory of 2804	2120	669163c950d22460542d4cfce2489c4e_3202l.exe	41
PID 2804 wrote to memory of 1832	2804	669163c950d22460542d4cfce2489c4e_3202m.exe	42
PID 2804 wrote to memory of 1832	2804	669163c950d22460542d4cfce2489c4e_3202m.exe	42
PID 2804 wrote to memory of 1832	2804	669163c950d22460542d4cfce2489c4e_3202m.exe	42
PID 2804 wrote to memory of 1832	2804	669163c950d22460542d4cfce2489c4e_3202m.exe	42
PID 1832 wrote to memory of 584	1832	669163c950d22460542d4cfce2489c4e_3202n.exe	43
PID 1832 wrote to memory of 584	1832	669163c950d22460542d4cfce2489c4e_3202n.exe	43
PID 1832 wrote to memory of 584	1832	669163c950d22460542d4cfce2489c4e_3202n.exe	43
PID 1832 wrote to memory of 584	1832	669163c950d22460542d4cfce2489c4e_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\669163c950d22460542d4cfce2489c4e.exe
"C:\Users\Admin\AppData\Local\Temp\669163c950d22460542d4cfce2489c4e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024
- \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202.exe
  c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202a.exe
    c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202b.exe
      c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202c.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202d.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202e.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202f.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202g.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202h.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202i.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202j.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202k.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202l.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202m.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202n.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202o.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:584
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202p.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2032
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202q.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1092
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202r.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1784
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202s.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1616
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202t.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:764
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202u.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2920
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202v.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:292
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202w.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1748
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202x.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2336
        
        \??\c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202y.exe
        
        c:\users\admin\appdata\local\temp\669163c950d22460542d4cfce2489c4e_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\669163c950d22460542d4cfce2489c4e_3202.exe

Filesize
244KB

MD5
3e5164995ab543137af98905ed6985af

SHA1
326de37cb1ba8f576ce87419fedbfc361e76ad79

SHA256
79c74573b22cf8a37a5c7823148ba51d8ce39553b974d7e4c9c9a15a545dd115

SHA512
38decfcc329b3f2c6c184d9990fffbbe0d4dcb85838e991ee8d2a0340809e02500fca97a694db0d4d54b8290a3ebd538b4712a604fd8d8a535a9960ee24e73e9

Download Submit
\Users\Admin\AppData\Local\Temp\669163c950d22460542d4cfce2489c4e_3202h.exe

Filesize
244KB

MD5
4ef2641b305daba37dabee5efbed09fb

SHA1
0eaa1146c0b2dba4d4f19611502376a949cf8569

SHA256
a3cb66ca8094e64e541122e86a29ae53c129600df2ff8be9be36b166f46ebc4b

SHA512
258deb621826983dc74c2c3c210f192afecd8e9f25232f12b2a60243c9db912dae889635136b18d56a31e11859bab96fdf30f5b713053cd19acd811c903839fb

Download Submit
memory/292-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/292-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/584-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/764-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-278-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1092-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-289-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1616-306-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1748-348-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/1748-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1832-234-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/1832-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-261-0x0000000001C00000-0x0000000001C3C000-memory.dmp

Filesize
240KB

Download
memory/2032-332-0x0000000001C00000-0x0000000001C3C000-memory.dmp

Filesize
240KB

Download
memory/2032-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2032-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-202-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/2120-273-0x0000000000310000-0x000000000034C000-memory.dmp

Filesize
240KB

Download
memory/2216-249-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2216-171-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2216-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2216-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2360-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2508-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-50-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2712-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-70-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2720-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-126-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2724-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-230-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2804-296-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2804-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-320-0x0000000000340000-0x000000000037C000-memory.dmp

Filesize
240KB

Download
memory/2920-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-12-0x0000000001C20000-0x0000000001C5C000-memory.dmp

Filesize
240KB

Download
memory/3024-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3024-15-0x0000000001C20000-0x0000000001C5C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads