538bbcf4a468b248db8bb74fe6e44463349b94506eaac31749ee667836aa865d

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f1fa13813c57cbb4f244abfe882b95.exe
Size

239KB
MD5

03f1fa13813c57cbb4f244abfe882b95
SHA1

4baa5284a62560803005bd82e29f90fe06ba21cc
SHA256

538bbcf4a468b248db8bb74fe6e44463349b94506eaac31749ee667836aa865d
SHA512

e8d5cb311b6ba74e219ff34d6b3d6a1711599503d2123e92a4f9868dbcc106871350f38d28c3c7d9b557b8823f330f042d86c4ae4a8c7fb16865bcc26411515d
SSDEEP

6144:xbKif9ZjWcmUUa2jn2FLjzbcwfSZ4sX/zQI6FU:BhFZMhjnWjzwwMEI6W

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe
2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
2836	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
1236	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
2352	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
2032	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
740	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
2180	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
2060	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
2980	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
1708	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
1724	03f1fa13813c57cbb4f244abfe882b95_3202x.exe
2616	03f1fa13813c57cbb4f244abfe882b95_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1924	03f1fa13813c57cbb4f244abfe882b95.exe
1924	03f1fa13813c57cbb4f244abfe882b95.exe
3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe
3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe
2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
2836	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
2836	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
1236	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
1236	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
2352	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
2352	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
2032	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
2032	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
740	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
740	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
2180	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
2180	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
2060	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
2060	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
2980	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
2980	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
1708	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
1708	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
1724	03f1fa13813c57cbb4f244abfe882b95_3202x.exe
1724	03f1fa13813c57cbb4f244abfe882b95_3202x.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012251-5.dat	upx
behavioral1/memory/1924-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/3044-19-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2636-54-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2512-39-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2428-62-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2428-69-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2436-85-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2908-83-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2436-98-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2136-101-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2136-114-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2692-115-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2692-129-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1776-137-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1776-145-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0006000000016d18-153.dat	upx
behavioral1/memory/1936-152-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1936-159-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1612-167-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1612-175-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2916-177-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2936-203-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2916-189-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2240-212-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2240-220-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2516-228-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2516-236-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2836-243-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2836-248-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1236-254-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1236-259-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2352-265-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2352-271-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2032-277-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2032-282-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/740-289-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/740-294-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2180-301-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2180-306-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2060-318-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2980-324-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2060-313-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2980-326-0x0000000000290000-0x00000000002CB000-memory.dmp	upx
behavioral1/memory/2980-330-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1708-336-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1708-341-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1724-347-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2616-353-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1724-352-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202m.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202n.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202s.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202v.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202w.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202e.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202l.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202k.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202t.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202q.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202g.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202h.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202u.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202c.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202i.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202d.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202p.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202x.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202f.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202j.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202o.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202y.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202b.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202r.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202.exe\""	03f1fa13813c57cbb4f244abfe882b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\03f1fa13813c57cbb4f244abfe882b95_3202a.exe\""	03f1fa13813c57cbb4f244abfe882b95_3202.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 2fe6d1eafe393f33	03f1fa13813c57cbb4f244abfe882b95_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	03f1fa13813c57cbb4f244abfe882b95_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3044	1924	03f1fa13813c57cbb4f244abfe882b95.exe	28
PID 1924 wrote to memory of 3044	1924	03f1fa13813c57cbb4f244abfe882b95.exe	28
PID 1924 wrote to memory of 3044	1924	03f1fa13813c57cbb4f244abfe882b95.exe	28
PID 1924 wrote to memory of 3044	1924	03f1fa13813c57cbb4f244abfe882b95.exe	28
PID 3044 wrote to memory of 2512	3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe	29
PID 3044 wrote to memory of 2512	3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe	29
PID 3044 wrote to memory of 2512	3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe	29
PID 3044 wrote to memory of 2512	3044	03f1fa13813c57cbb4f244abfe882b95_3202.exe	29
PID 2512 wrote to memory of 2636	2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe	30
PID 2512 wrote to memory of 2636	2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe	30
PID 2512 wrote to memory of 2636	2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe	30
PID 2512 wrote to memory of 2636	2512	03f1fa13813c57cbb4f244abfe882b95_3202a.exe	30
PID 2636 wrote to memory of 2428	2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe	31
PID 2636 wrote to memory of 2428	2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe	31
PID 2636 wrote to memory of 2428	2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe	31
PID 2636 wrote to memory of 2428	2636	03f1fa13813c57cbb4f244abfe882b95_3202b.exe	31
PID 2428 wrote to memory of 2908	2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe	32
PID 2428 wrote to memory of 2908	2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe	32
PID 2428 wrote to memory of 2908	2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe	32
PID 2428 wrote to memory of 2908	2428	03f1fa13813c57cbb4f244abfe882b95_3202c.exe	32
PID 2908 wrote to memory of 2436	2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe	33
PID 2908 wrote to memory of 2436	2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe	33
PID 2908 wrote to memory of 2436	2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe	33
PID 2908 wrote to memory of 2436	2908	03f1fa13813c57cbb4f244abfe882b95_3202d.exe	33
PID 2436 wrote to memory of 2136	2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe	34
PID 2436 wrote to memory of 2136	2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe	34
PID 2436 wrote to memory of 2136	2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe	34
PID 2436 wrote to memory of 2136	2436	03f1fa13813c57cbb4f244abfe882b95_3202e.exe	34
PID 2136 wrote to memory of 2692	2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe	35
PID 2136 wrote to memory of 2692	2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe	35
PID 2136 wrote to memory of 2692	2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe	35
PID 2136 wrote to memory of 2692	2136	03f1fa13813c57cbb4f244abfe882b95_3202f.exe	35
PID 2692 wrote to memory of 1776	2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe	36
PID 2692 wrote to memory of 1776	2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe	36
PID 2692 wrote to memory of 1776	2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe	36
PID 2692 wrote to memory of 1776	2692	03f1fa13813c57cbb4f244abfe882b95_3202g.exe	36
PID 1776 wrote to memory of 1936	1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe	37
PID 1776 wrote to memory of 1936	1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe	37
PID 1776 wrote to memory of 1936	1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe	37
PID 1776 wrote to memory of 1936	1776	03f1fa13813c57cbb4f244abfe882b95_3202h.exe	37
PID 1936 wrote to memory of 1612	1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe	38
PID 1936 wrote to memory of 1612	1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe	38
PID 1936 wrote to memory of 1612	1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe	38
PID 1936 wrote to memory of 1612	1936	03f1fa13813c57cbb4f244abfe882b95_3202i.exe	38
PID 1612 wrote to memory of 2916	1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe	39
PID 1612 wrote to memory of 2916	1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe	39
PID 1612 wrote to memory of 2916	1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe	39
PID 1612 wrote to memory of 2916	1612	03f1fa13813c57cbb4f244abfe882b95_3202j.exe	39
PID 2916 wrote to memory of 2936	2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe	40
PID 2916 wrote to memory of 2936	2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe	40
PID 2916 wrote to memory of 2936	2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe	40
PID 2916 wrote to memory of 2936	2916	03f1fa13813c57cbb4f244abfe882b95_3202k.exe	40
PID 2936 wrote to memory of 2240	2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe	41
PID 2936 wrote to memory of 2240	2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe	41
PID 2936 wrote to memory of 2240	2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe	41
PID 2936 wrote to memory of 2240	2936	03f1fa13813c57cbb4f244abfe882b95_3202l.exe	41
PID 2240 wrote to memory of 2516	2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe	42
PID 2240 wrote to memory of 2516	2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe	42
PID 2240 wrote to memory of 2516	2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe	42
PID 2240 wrote to memory of 2516	2240	03f1fa13813c57cbb4f244abfe882b95_3202m.exe	42
PID 2516 wrote to memory of 2836	2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe	43
PID 2516 wrote to memory of 2836	2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe	43
PID 2516 wrote to memory of 2836	2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe	43
PID 2516 wrote to memory of 2836	2516	03f1fa13813c57cbb4f244abfe882b95_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\03f1fa13813c57cbb4f244abfe882b95.exe
"C:\Users\Admin\AppData\Local\Temp\03f1fa13813c57cbb4f244abfe882b95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202.exe
  c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3044
- - \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202a.exe
    c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202b.exe
      c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202c.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202d.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202e.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202f.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202g.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202h.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202i.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202j.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202k.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202l.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202m.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202n.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202o.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2836
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202p.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1236
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202q.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2352
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202r.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2032
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202s.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:740
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202t.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2180
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202u.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2060
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202v.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2980
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202w.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1708
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202x.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1724
        
        \??\c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202y.exe
        
        c:\users\admin\appdata\local\temp\03f1fa13813c57cbb4f244abfe882b95_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03f1fa13813c57cbb4f244abfe882b95_3202.exe

Filesize
239KB

MD5
c4badb611738f2a0222e5909e6053bb8

SHA1
2c31acb023a52807382b1fd3462758d3eef6899f

SHA256
8e30e968f9faddce9e28fd1b6de45d85b5457f110122f5c874cced23cfa633a6

SHA512
829ccb2004f8722a6a8e4948c141d997f1705f09b113c7209cc789ce17b5d4f7bd007a5a6488a800e5bc0aad5b4f7bea2ce9be813e0a0cb823563ef982e8febd

Download Submit
\Users\Admin\AppData\Local\Temp\03f1fa13813c57cbb4f244abfe882b95_3202j.exe

Filesize
239KB

MD5
1914e8cb4f45ff9a6135499173136daf

SHA1
3b2ce38f4533fa3beaa5ce82fbb498714243500c

SHA256
d2462ffc63d5618905dd61b6386859a84c23b692b99c476688ba45e684274fb3

SHA512
1d7b5c0147e9cfb743f2244033b96ee3e62037e9772863e2945f8c7a2e2bda57647bd7913786a19cc545ea937d530a16dde5fcbd6582f1b3a0cd80061f8d3cf9

Download Submit
memory/740-300-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/740-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/740-294-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-254-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1612-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1612-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1708-336-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1708-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1724-347-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1724-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1776-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1776-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-128-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1936-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1936-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2032-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2032-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2060-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2060-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-101-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2180-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2180-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-215-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2240-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-312-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2240-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2352-270-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/2352-265-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2352-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2428-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2428-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2436-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2436-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-40-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2512-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2516-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2516-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2616-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-129-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2836-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2836-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-177-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-205-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2936-288-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2936-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2980-326-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/2980-330-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3044-19-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads