e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Size

212KB
MD5

1c6553afbd6b9211792d121158b0c74f
SHA1

160b8575659dd2f2549b899e059f5466d92b39b0
SHA256

e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3
SHA512

f5b9982e413bdfa3692a48b20435f7b7ba89bff92dcea0230ba986aa413b6bb80db58485f6695b93ed47dcd304b2df55a757228ecc162d83e1b0c8416274408e
SSDEEP

3072:Kae7OubpGGErCbuZM4EQrjo7vgHJJPPIgp:KacxGfTMfQrjoziJJHI2

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
2144	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
1248	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
1560	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
1652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
868	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
1624	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
1948	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
2356	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
2224	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
1684	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
2556	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
2144	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
2144	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
1248	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
1248	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
1560	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
1560	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
1652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
1652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
868	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
868	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
1624	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
1624	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
1948	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
1948	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
2356	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
2356	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
2224	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
2224	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
1684	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
1684	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2960-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000d00000001224c-15.dat	upx
behavioral1/files/0x002a000000014b6d-43.dat	upx
behavioral1/memory/2628-51-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000015264-52.dat	upx
behavioral1/memory/2564-42-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2564-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2628-58-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2584-67-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2584-75-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2484-78-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016cf0-120.dat	upx
behavioral1/files/0x0007000000015cb9-106.dat	upx
behavioral1/memory/2080-134-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/620-193-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1804-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1804-209-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-221.dat	upx
behavioral1/memory/1724-226-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d4f-234.dat	upx
behavioral1/memory/1560-273-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1560-279-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/868-296-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/868-301-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1624-312-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2224-343-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2556-361-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1684-360-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1684-355-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2224-348-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2356-336-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2356-330-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1948-324-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1948-318-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1624-307-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1652-289-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1248-266-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1248-256-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2144-255-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2144-249-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2792-240-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2792-233-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1724-218-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d41-205.dat	upx
behavioral1/files/0x0006000000016d36-196.dat	upx
behavioral1/memory/896-177-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000016d24-180.dat	upx
behavioral1/files/0x0006000000016d11-165.dat	upx
behavioral1/files/0x0006000000016d01-151.dat	upx
behavioral1/memory/1600-163-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0013000000014c67-137.dat	upx
behavioral1/memory/2732-136-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2080-129-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2732-149-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/584-105-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1084-119-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/584-98-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x00070000000155d4-92.dat	upx
behavioral1/files/0x0007000000015364-77.dat	upx
behavioral1/memory/2484-90-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2584-70-0x00000000002A0000-0x00000000002DA000-memory.dmp	upx
behavioral1/files/0x000e000000014698-29.dat	upx
behavioral1/memory/2884-12-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 69066eb1371c694f	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2960	2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	28
PID 2884 wrote to memory of 2960	2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	28
PID 2884 wrote to memory of 2960	2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	28
PID 2884 wrote to memory of 2960	2884	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	28
PID 2960 wrote to memory of 2564	2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	29
PID 2960 wrote to memory of 2564	2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	29
PID 2960 wrote to memory of 2564	2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	29
PID 2960 wrote to memory of 2564	2960	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	29
PID 2564 wrote to memory of 2628	2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	30
PID 2564 wrote to memory of 2628	2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	30
PID 2564 wrote to memory of 2628	2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	30
PID 2564 wrote to memory of 2628	2564	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	30
PID 2628 wrote to memory of 2584	2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	31
PID 2628 wrote to memory of 2584	2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	31
PID 2628 wrote to memory of 2584	2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	31
PID 2628 wrote to memory of 2584	2628	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	31
PID 2584 wrote to memory of 2484	2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	32
PID 2584 wrote to memory of 2484	2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	32
PID 2584 wrote to memory of 2484	2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	32
PID 2584 wrote to memory of 2484	2584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	32
PID 2484 wrote to memory of 584	2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	33
PID 2484 wrote to memory of 584	2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	33
PID 2484 wrote to memory of 584	2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	33
PID 2484 wrote to memory of 584	2484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	33
PID 584 wrote to memory of 1084	584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	34
PID 584 wrote to memory of 1084	584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	34
PID 584 wrote to memory of 1084	584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	34
PID 584 wrote to memory of 1084	584	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	34
PID 1084 wrote to memory of 2080	1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	35
PID 1084 wrote to memory of 2080	1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	35
PID 1084 wrote to memory of 2080	1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	35
PID 1084 wrote to memory of 2080	1084	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	35
PID 2080 wrote to memory of 2732	2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	36
PID 2080 wrote to memory of 2732	2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	36
PID 2080 wrote to memory of 2732	2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	36
PID 2080 wrote to memory of 2732	2080	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	36
PID 2732 wrote to memory of 1600	2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	37
PID 2732 wrote to memory of 1600	2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	37
PID 2732 wrote to memory of 1600	2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	37
PID 2732 wrote to memory of 1600	2732	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	37
PID 1600 wrote to memory of 896	1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	38
PID 1600 wrote to memory of 896	1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	38
PID 1600 wrote to memory of 896	1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	38
PID 1600 wrote to memory of 896	1600	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	38
PID 896 wrote to memory of 620	896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	39
PID 896 wrote to memory of 620	896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	39
PID 896 wrote to memory of 620	896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	39
PID 896 wrote to memory of 620	896	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	39
PID 620 wrote to memory of 1804	620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	40
PID 620 wrote to memory of 1804	620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	40
PID 620 wrote to memory of 1804	620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	40
PID 620 wrote to memory of 1804	620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	40
PID 1804 wrote to memory of 1724	1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	41
PID 1804 wrote to memory of 1724	1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	41
PID 1804 wrote to memory of 1724	1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	41
PID 1804 wrote to memory of 1724	1804	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	41
PID 1724 wrote to memory of 2792	1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	42
PID 1724 wrote to memory of 2792	1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	42
PID 1724 wrote to memory of 2792	1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	42
PID 1724 wrote to memory of 2792	1724	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	42
PID 2792 wrote to memory of 2144	2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	43
PID 2792 wrote to memory of 2144	2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	43
PID 2792 wrote to memory of 2144	2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	43
PID 2792 wrote to memory of 2144	2792	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
"C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
  c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2960
- - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
    c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
      c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2628
    - - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2144
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1248
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1560
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1652
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:868
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1624
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1948
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2356
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2224
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1684
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe

Filesize
213KB

MD5
095ec657f6ac1c7c6cb29bfc1566dcad

SHA1
13cd38a8a890193f896005d07cc382e3cf355af5

SHA256
00923c3d812d5150792867b38669c2bf55299ed8e85ac92dd4dcbd712e3a045e

SHA512
c572f2d4fe9c4b1fc779c659891ed26db7e4090d821efbc58bda2994d8303a808a0162b9c1861e2fa37f7b507aa505fe61c16394f8e81925dea2c34b3b59b803

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe

Filesize
213KB

MD5
284ca4aea7deaea9b4d75add7034b66b

SHA1
f12e12c895637a99959279755f97da00e8e02938

SHA256
1b3d209ab928627af84b94c9c490db792b35ed75b6e7efdd9ade2fb628e2451b

SHA512
d53b98642dc0edf88179893e931692580f1c348693bf51b9509b3711cca980ec2d65176d33dd632b62746d320e61361fd3f694960519d3ba716e8348dbb0d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe

Filesize
214KB

MD5
620fa0ced2e6b1a192d8724978d330d2

SHA1
d62261bcba9e470e927e86bcab8fa201af6ba0a0

SHA256
b0b8d1e02dcdfb9eccf36e1c44eb607d5d29acb7e79fb237021380264121c06d

SHA512
119b516f0e173bfd4aabe3170f59d7d64517b8f7ae6255cb61bc376c0f068f722f7bfd00461975f3bacd9eaa25168a9175a620d74f33b34f1698e30b18dbf50a

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe

Filesize
212KB

MD5
67d51c6ec97aa2215fbc86cdd0ba8508

SHA1
9400dd27edc33e4963873470ab99aa6f30d37d6c

SHA256
526cbb324c57d5f9795aa2fe0ffd9440b336bec5fb2c2cf367adeb60498d9959

SHA512
e8f6d163629b5d01f0f8fdfc95fcd1543c05fa604f9865a3ff39da0fdc65d918897742df0e0a1983e0e5129e5b788e6f3b7f71dbec3f7bc9228bf586da2d1f3e

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe

Filesize
212KB

MD5
abb6da99d877bea151f17ed78f915a39

SHA1
cf94c1c1c60073efe9c70c25d43a5582e75a41c5

SHA256
ce96ed98b695a481059e4b7784d23d54f34e36faf15eb934f940b5c0a51e78d0

SHA512
e3b60ea90c52c31e69c9ca79d5ed1703cb1655ac99f332ec3f5bad09d48961ec11a341b8642168744632b1d9d7a73980666807a6b591503b481c2e8f15503424

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe

Filesize
213KB

MD5
bda20f27662359c4472dcd65483f2b0d

SHA1
c06e7a4b2977bbb4eec46517d1a461acc33e17bb

SHA256
a82deaeab6af68a9de5302405e1dce2844182fb9b19c6bc727f186c5411e5233

SHA512
b9f186d35251bd74b513a2dc44fd5e511c4faa69414c414937bbde4ffb114941248e47e5a4bef3782dc0570c5aa8cadd51e04ad1645f9921aec1281311866313

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe

Filesize
213KB

MD5
3eadcd1c7b516687c847cff4ab1b8b87

SHA1
eb08076d78fbed074a288564bec53e2663c16e99

SHA256
70ce848ae4a5d74826efaf248e0277c04ebe400734ecd04a9fe4ce6a663699e4

SHA512
143f3870131ebeb8e4b32df82d70b643c9c658f6833d4513cbb627d298ee554fd4bf42d4bcbaa4f80fcf5ed246efa8cf15bd9c790ffcc06cf2f4c702e755d301

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe

Filesize
214KB

MD5
f0cc72e130f6ae1ccf793655d60d9f9b

SHA1
10e5a1e41aaddfd71979ad99578f482a879787c5

SHA256
e14b07860d304b07789e884d9a330bbf7dd384c38102c48c8c90358463fa7ba7

SHA512
3e072184688841bae3e351ceac7dd1298f4fb0c56d4ad3f2895091a7f5e7ca5e687b0739af40a56499c882c42f658c4987e53b33bd9995f020deddee1d36df14

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe

Filesize
214KB

MD5
5da49d9853a81bd15b42756f255ad7f2

SHA1
0274aae1f8dd1f65131f4ff73d2506b98bf48f7c

SHA256
09b0250bf9d3580b137ff015ff5b5713d0dfd4820200cdd474bb804bd364bd42

SHA512
2092b11c379f4780e7e6130baab30d8dc2fde1c95ca798b64cbecb2dff3a7c49fe145fd6a46a10e2fa0511091056f0cb8e26768845f7a9aaec2fe1564a9c982c

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe

Filesize
214KB

MD5
3bc2f4aaa04396a655a90a04943d02f6

SHA1
62f01b85d94138b3db825496a7b1dbb2cfa34edd

SHA256
5bd0880765b56980aa3637c586bb70314c55fd32d3ce82cc62826fdb86850a23

SHA512
1a5d5ef90af7b231a2dfc82b2f585ad174bb61a23881712946442ad127ce4d2b2472c4ca8d451bb01f96c7e8977a170c09bae35f7708157c42aa0e5adc75f55b

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe

Filesize
215KB

MD5
6643dcf954a365a05b94607fc2322033

SHA1
274c47045772c621558117c4af01acd0d388a3b1

SHA256
c53e5bf0905f356dca94a08c65389b23232812a2f6ed7e2781bc1d64106bafe7

SHA512
b79800c7a56d36f49a04f5c733468cb40b99ce91494e7d00609b6c03f453c33928c660d9a10abdfff8157fce549dc4d45684dc5c823248993f5a9e60e4d85377

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe

Filesize
215KB

MD5
1de6c6c19139c4d69e245df69ffe6857

SHA1
7c032d18e0e6d132562c0dbcf7a8faacfe09a7c5

SHA256
8e11814aae8042b68928c1eb7996d5fc3d23f5ce6f31eca7c50816623379130b

SHA512
fec189855be93be61c1232e8907c7323083e43bb717347cc1f23ce87fb87fcebe0b0586183076c53abe9393f5e1a52a34c316c299be7830d9f0203751b3f7538

Download Submit
\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe

Filesize
213KB

MD5
2c186eadd9ca00327ee600da966ffa4f

SHA1
89f2f848349f29f158534c587a15e3accf594d0a

SHA256
c68011d2ad54abb1880cf51d1a637ff616f1df7a83e2e6fd1e1e146d3ba5ee34

SHA512
50419a4261c8947545cf70e61734cddf1ab24c20102708f094d89ee4445db575ba7b2b4d27cc8931c17fdedcb27e9da03c580f992177e0a3e8d07c1e71900897

Download Submit
\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe

Filesize
215KB

MD5
2253cfb5c14e4e30165482a6a3c7b4a0

SHA1
dcf0f8e625fcaa57e2ee0059128f77355a2f0b65

SHA256
52d1f95fde997da453930c67dc17b7b78d7e561cbfb8cd7d38e4a651671ee44e

SHA512
987ae9ef56cbf76f10ad7e09a9873b0263d394697614233d150fe1cd06d9ee4cd3c2862f34681c87ef906fd37ce312a98affab622577a52d5cc8ee2f1033299e

Download Submit
\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe

Filesize
215KB

MD5
0cef07b6485181063b72d9c5ab2cefd8

SHA1
6a9a022f29a86a027f2a8b1112a2528fcd5a9c51

SHA256
dc3d32a1f67e2a89c04b2d120577e4eb8f4f34e45aeecc4ba2af3cde20b64d95

SHA512
12f838a4ad8636c05a039d600b322589a391228be4978f7e44d42e9b87f93942699420525bcd26d273b206c36e829602ccfc817feb3526e63172113ecfb804cf

Download Submit
\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe

Filesize
216KB

MD5
19e0390f1c5d0a74fc831d41bb1b55e6

SHA1
c1624aaa83aa348fbae08f85916fa47ee1c838bb

SHA256
d3876e3e980aff25eb2241b3558c40d8d62fee82a1056e2cf3f77f3ae2285942

SHA512
791f3469d1909144454d100d23fb14e51be8a5844915656163ed356de941bed51a0db668c73fb500cb4d811688ae15f368795e03290259f3bc86d783d9522e1b

Download Submit
memory/584-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/584-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/620-195-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/620-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/868-301-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/896-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/896-192-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/896-178-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/1084-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-319-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/1248-267-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/1248-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1560-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1560-335-0x0000000000230000-0x000000000026A000-memory.dmp

Filesize
232KB

Download
memory/1560-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1624-307-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1624-312-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-349-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1652-289-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-290-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1684-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-355-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1724-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-274-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1804-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1804-210-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/1948-318-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1948-324-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2080-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2144-254-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2144-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2224-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-342-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2356-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-330-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2484-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2484-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2484-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2564-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2564-42-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2564-50-0x0000000000370000-0x00000000003AA000-memory.dmp

Filesize
232KB

Download
memory/2584-70-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2584-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2584-75-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-59-0x00000000002A0000-0x00000000002DA000-memory.dmp

Filesize
232KB

Download
memory/2628-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2732-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2792-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-13-0x00000000001B0000-0x00000000001EA000-memory.dmp

Filesize
232KB

Download
memory/2884-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2960-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads