67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32

Analysis

max time kernel
121s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe
Size

379KB
MD5

099cf1ad9cd5c225d394dfa8cc65591b
SHA1

6cb4613581d64447423b2190330cda77b8ba5a05
SHA256

67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32
SHA512

41abf1ea1a70ba721cecf559d65791e06ca12f637dfbb8260f34c9ffd1693ef423b21db6e41b67e2566fe68513ef0f55ac372ce19d62ae177f70b92430c77057
SSDEEP

6144:QhsZkhMWNFf8LAurlEzAX7oAwfSZ4sXUzQIMS:+UQMCqrllX7XwfEIj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1084	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
3636	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe
3488	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
4476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
4876	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
2476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
4972	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
4200	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
3604	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
1588	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
3716	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
3804	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
4504	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
4404	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
3688	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
1004	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
4376	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
3928	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
3948	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
1372	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
2444	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
1688	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
4064	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
3056	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
4260	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe
4436	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4408-0-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3636-19-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3488-28-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4876-53-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2476-63-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-64.dat	upx
behavioral2/memory/4200-82-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1084-126-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3804-118-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3716-117-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1588-108-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3604-98-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4972-80-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4972-71-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4476-54-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3488-44-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4476-37-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1084-15-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4408-9-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4504-131-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3688-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1372-191-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x00080000000233f7-195.dat	upx
behavioral2/memory/2444-210-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1688-213-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4260-241-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4436-242-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3056-232-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4064-220-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3948-193-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3948-182-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3928-174-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4376-173-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1004-150-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4404-138-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3636-130-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3688-243-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/1372-244-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 845b26c92e2c97cd	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 1084	4408	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe	83
PID 4408 wrote to memory of 1084	4408	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe	83
PID 4408 wrote to memory of 1084	4408	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe	83
PID 1084 wrote to memory of 3636	1084	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe	84
PID 1084 wrote to memory of 3636	1084	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe	84
PID 1084 wrote to memory of 3636	1084	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe	84
PID 3636 wrote to memory of 3488	3636	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe	85
PID 3636 wrote to memory of 3488	3636	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe	85
PID 3636 wrote to memory of 3488	3636	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe	85
PID 3488 wrote to memory of 4476	3488	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe	86
PID 3488 wrote to memory of 4476	3488	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe	86
PID 3488 wrote to memory of 4476	3488	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe	86
PID 4476 wrote to memory of 4876	4476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe	87
PID 4476 wrote to memory of 4876	4476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe	87
PID 4476 wrote to memory of 4876	4476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe	87
PID 4876 wrote to memory of 2476	4876	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe	88
PID 4876 wrote to memory of 2476	4876	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe	88
PID 4876 wrote to memory of 2476	4876	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe	88
PID 2476 wrote to memory of 4972	2476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe	89
PID 2476 wrote to memory of 4972	2476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe	89
PID 2476 wrote to memory of 4972	2476	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe	89
PID 4972 wrote to memory of 4200	4972	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe	90
PID 4972 wrote to memory of 4200	4972	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe	90
PID 4972 wrote to memory of 4200	4972	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe	90
PID 4200 wrote to memory of 3604	4200	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe	91
PID 4200 wrote to memory of 3604	4200	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe	91
PID 4200 wrote to memory of 3604	4200	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe	91
PID 3604 wrote to memory of 1588	3604	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe	92
PID 3604 wrote to memory of 1588	3604	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe	92
PID 3604 wrote to memory of 1588	3604	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe	92
PID 1588 wrote to memory of 3716	1588	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe	93
PID 1588 wrote to memory of 3716	1588	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe	93
PID 1588 wrote to memory of 3716	1588	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe	93
PID 3716 wrote to memory of 3804	3716	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe	94
PID 3716 wrote to memory of 3804	3716	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe	94
PID 3716 wrote to memory of 3804	3716	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe	94
PID 3804 wrote to memory of 4504	3804	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe	95
PID 3804 wrote to memory of 4504	3804	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe	95
PID 3804 wrote to memory of 4504	3804	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe	95
PID 4504 wrote to memory of 4404	4504	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe	96
PID 4504 wrote to memory of 4404	4504	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe	96
PID 4504 wrote to memory of 4404	4504	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe	96
PID 4404 wrote to memory of 3688	4404	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe	97
PID 4404 wrote to memory of 3688	4404	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe	97
PID 4404 wrote to memory of 3688	4404	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe	97
PID 3688 wrote to memory of 1004	3688	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe	98
PID 3688 wrote to memory of 1004	3688	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe	98
PID 3688 wrote to memory of 1004	3688	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe	98
PID 1004 wrote to memory of 4376	1004	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe	99
PID 1004 wrote to memory of 4376	1004	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe	99
PID 1004 wrote to memory of 4376	1004	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe	99
PID 4376 wrote to memory of 3928	4376	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe	100
PID 4376 wrote to memory of 3928	4376	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe	100
PID 4376 wrote to memory of 3928	4376	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe	100
PID 3928 wrote to memory of 3948	3928	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe	101
PID 3928 wrote to memory of 3948	3928	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe	101
PID 3928 wrote to memory of 3948	3928	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe	101
PID 3948 wrote to memory of 1372	3948	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe	102
PID 3948 wrote to memory of 1372	3948	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe	102
PID 3948 wrote to memory of 1372	3948	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe	102
PID 1372 wrote to memory of 2444	1372	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe	103
PID 1372 wrote to memory of 2444	1372	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe	103
PID 1372 wrote to memory of 2444	1372	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe	103
PID 2444 wrote to memory of 1688	2444	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe	104

C:\Users\Admin\AppData\Local\Temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe
"C:\Users\Admin\AppData\Local\Temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
  c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe
    c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
      c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3488
    - - \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1688
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4064
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3056
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4260
        
        \??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe
        
        c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe

Filesize
379KB

MD5
01f7ae57ebc0e819ff2180f27a19c0a0

SHA1
389afa74e77bad2d6cfcb436585b016bf52a076f

SHA256
b428482b3defb4adb127e8b56aa334f93a020b5e068b0336de8fe146ca894ff1

SHA512
cdc2ddfe553af44b683f4e2dd2efb27397f9ad67bb219b211bcf630077681bbfbcb479938e757cb3b8805a26e44f52aaa3670698484db4b517364ab748eb276e

Download Submit
\??\c:\users\admin\appdata\local\temp\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe

Filesize
379KB

MD5
ee8e871fb582d4a0bcdcf42b91a41f74

SHA1
bfa626f5bbf9008b8f4d68acbfa9b681da137ed3

SHA256
2169b5105d45407626ee731e064d35ed0e573cb161a19fb8a2a002ce5e12961b

SHA512
41024fe650a19dd60695b29a01dfbb053a6bea77e16791e2353ad11b7bf6349ad126ecbd397855a6aa6165d8eae3f763e6fc055e5447d6e4d7bfb1bf1f5b8d5b

Download Submit
memory/1004-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1372-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1588-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3604-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-130-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3688-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3804-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3928-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-182-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4064-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4200-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4200-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4260-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4404-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-37-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4504-131-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202l.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202p.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202u.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202c.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202a.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202i.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202k.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202o.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202w.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202y.exe\""	67dccc78d625e8252657045eea8512f9b1ac31e2f35f37d18844a6f52a418e32_3202x.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads