e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Size

212KB
MD5

1c6553afbd6b9211792d121158b0c74f
SHA1

160b8575659dd2f2549b899e059f5466d92b39b0
SHA256

e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3
SHA512

f5b9982e413bdfa3692a48b20435f7b7ba89bff92dcea0230ba986aa413b6bb80db58485f6695b93ed47dcd304b2df55a757228ecc162d83e1b0c8416274408e
SSDEEP

3072:Kae7OubpGGErCbuZM4EQrjo7vgHJJPPIgp:KacxGfTMfQrjoziJJHI2

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3220	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
5000	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
2836	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
3496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
2620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
4320	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
4988	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
1352	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
3788	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
2652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
3548	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
4368	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
1172	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
3028	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
556	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
1496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
1236	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
3100	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
4928	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
4996	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
2900	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
1936	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
2984	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
3152	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
3484	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
4456	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3288-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000300000001e97a-5.dat	upx
behavioral2/memory/3220-17-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5000-25-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5000-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000800000002341a-39.dat	upx
behavioral2/memory/3496-53-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002341b-47.dat	upx
behavioral2/files/0x000700000002341c-57.dat	upx
behavioral2/memory/2620-55-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2836-37-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023413-29.dat	upx
behavioral2/memory/2836-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023270-19.dat	upx
behavioral2/memory/4320-66-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4988-74-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002341d-68.dat	upx
behavioral2/memory/3220-10-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3288-8-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002341e-76.dat	upx
behavioral2/memory/4988-77-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1352-84-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023421-95.dat	upx
behavioral2/memory/3548-114-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023423-116.dat	upx
behavioral2/files/0x0007000000023422-106.dat	upx
behavioral2/memory/2652-107-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2652-103-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3788-97-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1352-88-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023420-87.dat	upx
behavioral2/memory/4368-124-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1172-127-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1172-134-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023424-136.dat	upx
behavioral2/files/0x0008000000023418-126.dat	upx
behavioral2/memory/3028-137-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023426-144.dat	upx
behavioral2/memory/3028-151-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023427-154.dat	upx
behavioral2/files/0x0007000000023428-164.dat	upx
behavioral2/memory/1236-171-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1236-173-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023429-175.dat	upx
behavioral2/memory/1496-165-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1496-156-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/556-155-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4928-190-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4928-192-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002342c-194.dat	upx
behavioral2/files/0x000700000002342b-182.dat	upx
behavioral2/memory/3100-183-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4996-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023433-203.dat	upx
behavioral2/memory/2900-204-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023434-211.dat	upx
behavioral2/files/0x0007000000023435-222.dat	upx
behavioral2/memory/2984-231-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3152-239-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023436-233.dat	upx
behavioral2/memory/1936-221-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2984-229-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2900-219-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1936-218-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0c73c01bcf592391	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3220	3288	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	84
PID 3288 wrote to memory of 3220	3288	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	84
PID 3288 wrote to memory of 3220	3288	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe	84
PID 3220 wrote to memory of 5000	3220	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	85
PID 3220 wrote to memory of 5000	3220	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	85
PID 3220 wrote to memory of 5000	3220	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe	85
PID 5000 wrote to memory of 2836	5000	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	86
PID 5000 wrote to memory of 2836	5000	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	86
PID 5000 wrote to memory of 2836	5000	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe	86
PID 2836 wrote to memory of 3496	2836	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	87
PID 2836 wrote to memory of 3496	2836	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	87
PID 2836 wrote to memory of 3496	2836	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe	87
PID 3496 wrote to memory of 2620	3496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	88
PID 3496 wrote to memory of 2620	3496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	88
PID 3496 wrote to memory of 2620	3496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe	88
PID 2620 wrote to memory of 4320	2620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	89
PID 2620 wrote to memory of 4320	2620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	89
PID 2620 wrote to memory of 4320	2620	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe	89
PID 4320 wrote to memory of 4988	4320	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	90
PID 4320 wrote to memory of 4988	4320	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	90
PID 4320 wrote to memory of 4988	4320	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe	90
PID 4988 wrote to memory of 1352	4988	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	91
PID 4988 wrote to memory of 1352	4988	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	91
PID 4988 wrote to memory of 1352	4988	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe	91
PID 1352 wrote to memory of 3788	1352	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	92
PID 1352 wrote to memory of 3788	1352	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	92
PID 1352 wrote to memory of 3788	1352	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe	92
PID 3788 wrote to memory of 2652	3788	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	93
PID 3788 wrote to memory of 2652	3788	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	93
PID 3788 wrote to memory of 2652	3788	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe	93
PID 2652 wrote to memory of 3548	2652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	94
PID 2652 wrote to memory of 3548	2652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	94
PID 2652 wrote to memory of 3548	2652	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe	94
PID 3548 wrote to memory of 4368	3548	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	95
PID 3548 wrote to memory of 4368	3548	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	95
PID 3548 wrote to memory of 4368	3548	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe	95
PID 4368 wrote to memory of 1172	4368	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	96
PID 4368 wrote to memory of 1172	4368	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	96
PID 4368 wrote to memory of 1172	4368	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe	96
PID 1172 wrote to memory of 3028	1172	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	97
PID 1172 wrote to memory of 3028	1172	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	97
PID 1172 wrote to memory of 3028	1172	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe	97
PID 3028 wrote to memory of 556	3028	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	98
PID 3028 wrote to memory of 556	3028	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	98
PID 3028 wrote to memory of 556	3028	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe	98
PID 556 wrote to memory of 1496	556	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	99
PID 556 wrote to memory of 1496	556	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	99
PID 556 wrote to memory of 1496	556	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe	99
PID 1496 wrote to memory of 1236	1496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe	100
PID 1496 wrote to memory of 1236	1496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe	100
PID 1496 wrote to memory of 1236	1496	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe	100
PID 1236 wrote to memory of 3100	1236	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe	101
PID 1236 wrote to memory of 3100	1236	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe	101
PID 1236 wrote to memory of 3100	1236	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe	101
PID 3100 wrote to memory of 4928	3100	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe	103
PID 3100 wrote to memory of 4928	3100	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe	103
PID 3100 wrote to memory of 4928	3100	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe	103
PID 4928 wrote to memory of 4996	4928	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe	104
PID 4928 wrote to memory of 4996	4928	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe	104
PID 4928 wrote to memory of 4996	4928	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe	104
PID 4996 wrote to memory of 2900	4996	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe	106
PID 4996 wrote to memory of 2900	4996	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe	106
PID 4996 wrote to memory of 2900	4996	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe	106
PID 2900 wrote to memory of 1936	2900	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe	107

C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
"C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288
- \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
  c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3220
- - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
    c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
      c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2984
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3152
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3484
        
        \??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
        
        c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe

Filesize
212KB

MD5
291148bf225c5a7377f1f6c1e205b781

SHA1
845e2f5959f477c6391413623cb08a045a29b1fa

SHA256
04b2c37a6a2d9d7b775fbb1f533c3061b1722f9a19c6a92fba6e2724ed5fa45e

SHA512
a4dc858292bd84ef260d9b456240c750b9fc926271aa8da45eb33d365d9478da50bfaebfcef88fd482357c3f5b4bd8fdfbd11f038df5208e95a405cbad366d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe

Filesize
214KB

MD5
a807e6d4d304deebf234cc5e98d9483f

SHA1
392c7bb36263b5b276919af59fcb34ddf65c88a9

SHA256
1cdefa65abccafda1d65f368945d93578c3dfd3fc9ce78f962b1dd075e0e44a3

SHA512
b4d222513448f5254c4d003051ef550f29cc2530479a4100d0250015f05e65a182468363ec63917b07bb69a777be6f75fbf019b2602fbad33dc568cafb698cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe

Filesize
214KB

MD5
f222848d7ef45997e70966083ea1d66c

SHA1
2ea6b46e3fe16fdb241415d1f9d9ca33bcc035bb

SHA256
77bc12b5a145e9531c9794d3c961a59bbd06067958549b59f08c61754ebb3d5d

SHA512
45c15e366ea5bd8c2b0ff47d2a77ef5f491f24df6c68a01edca09e7e288fee259e89b4351b9963e81f09cee3b9e0b2abc602354bd36afb10ba4aa1fc3f41681e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe

Filesize
215KB

MD5
fd4ce5a86a020ef1fe8063a524feb427

SHA1
99225d6429dd3d4652b243d78bc621f8b2a215d7

SHA256
2a6ddd0cf815bb8e6faabee93c2dab72629601dbeb9eb4be6523ec3530b1929c

SHA512
83b304c36412ca3d4372d6908acb6be814d39d3c31741979db1608809db682f7256f0daa7e20e69dac2a6e14470c6dbb25e2a6ca04e204568608173b4b76a096

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe

Filesize
216KB

MD5
eabd1d08f43b93ba65fc434e9d556287

SHA1
4780306bba2a7f6af67ff0abd8a3a540e7be1a09

SHA256
b57637c9765797328249a6760fd6c44deaa8b15cf28bd1df9395aff973abd574

SHA512
f0cd6bd569e81aaa1a409ecd303733c12b0a98845fb0887a0f199d5d37685009808ee0c89314e3eba290b3acc1cb77aa340730b0783036f0a1d0e829b5137d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe

Filesize
217KB

MD5
b75909a0e27bffb0676a34fc0edd2d7a

SHA1
f64a67067cd9106caa59d011decac3fe9903abb4

SHA256
5ff81b30f1ff00e236a2f8657169add4d2f9b32e094eff4cdbe0d5f72bea1ab3

SHA512
93fc8a7e1f6e4a6cd452c4fd1fa587b46b4a1771154ccf3f31cede244c88397f11fea57989321a3c54cf29bf950227bc2a01973623716764bafb02ec71188940

Download Submit
C:\Users\Admin\AppData\Local\Temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe

Filesize
217KB

MD5
4641743f2ff74358d77db77bb4379e1b

SHA1
d2e5046a4556268ed11f5c54d2b418df057e5bb8

SHA256
6444ae86df2d566e06437e7acfb6ba2508ecf737febaa5a23d47b0729d8e4e45

SHA512
aa1c032034180930cb1e67e53c59ce77fd964addf8516780dafdf143dbf8c3b96a214413b86d6b1ef0b4afa82763feb0ccf6f0ccc241839f6230e018652b5554

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe

Filesize
212KB

MD5
887dc84e90d1a5d1ff4b74a4037450ab

SHA1
0536de53213e4db37c1bf295b0498b0fecb2b139

SHA256
27a55e67c2a35c174299e87d1517996cca8420db6e333aaf57a387df33e22c70

SHA512
a1e3ebd0f9d995d3ed18df49acc7842ce1c0575a57a4e29aab25a109297c5a442cf7d581ccc97bc36b3cdbef6993ab5a434f2385978ad82c06fe6819ea19c51f

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe

Filesize
213KB

MD5
a7a6edcea9c5f8f8edce76195b5dc633

SHA1
dc7731a77663fbd1a7e4e0c247dd6c57b8ece725

SHA256
75f56b14597f162021dcdfcbcabb043934688469ebd5cc92c89cf62caaa26e88

SHA512
2c6eafd1ba6c2d160cd0eef85fd8e1cda49ff234badd7554eeb1ec9e081eb7dcd6e4604436d6b567a1001561302053e779f853b76b10ddf7b9addcf8e2c073f2

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe

Filesize
213KB

MD5
7ee0eee3bd16287c1569d8659ebe504e

SHA1
dbf08249e8ea54b0536c12110eb0a12aae356a52

SHA256
fec4b264e4c5560de4d749af5bd467aa919747b3920db8841506f45b46f6c68e

SHA512
d5f3d5cffc1a0af78ac433b1f2231cc8ce7221540bbc352169d1f555888176b857bb487222ee4bad133bfaa23ad1e9c1d1856b57a9290bc7621cf87c4841826c

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe

Filesize
213KB

MD5
b97de6fcecea95857ab9b40f545c7810

SHA1
e68010d2f6b4facacb8500bcf011e2e1618019de

SHA256
2aa3efc3a0acc6793090f29373a3bfe75110e5ff539b3f01b23c7d0a4cb3f645

SHA512
445d80a3ec17e6b35737e37b3a5b97271496940ebf7e884193e29778fadc28087c9c474f1ed8640fe5741c11628d9c0d32503f83f546c257da1b252b7c3b85f1

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe

Filesize
213KB

MD5
fb53917445d452df7d187644f1081e14

SHA1
1851d98026b61fa407fda444e83c5a4f8bc07d62

SHA256
c80efee75c20627d8bb1e7d2345aeae235b5c301e528bdaa4834497162b95bfa

SHA512
5ff779bc71d23b984ae8e20d4ac0ceed4558e166c7f03b75e274984816e421fb69be1afcd232968f27b14af43a521db6fb7b5398026dc237c31cb2ebdc03479a

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe

Filesize
213KB

MD5
9f4590f6d578ee98a145d172399109f8

SHA1
2374e8720d06a4871145a49dfe5e7b4d9f714ecf

SHA256
9c4ef1ab2dced71dd4c832a83e597a9a24344425a54c44bc1651af242e3d03fb

SHA512
086c41c8a31d61cd2d1025b756a4106b872ed58d4566c734996153d296bbc1384deabe6dc8c240dd640258dccddc0efefdb4f7b75cef890709c2a92a2d612dc7

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe

Filesize
214KB

MD5
b40b8de69acf0bfe2900d8e45d155d42

SHA1
cc25b51fefb1d1be656210840ee31019b2fb3f8d

SHA256
c262e1c90d9d345d7a7ecbc916f332c0c41536a0be526e6b1266e8a82f46d21e

SHA512
a532ac0b98ad2ef4d06f8ae12f58400a69b96b27494c9147ca9e2bb24cf6496cb3001baa953fada9485901b7b2dcaf8d1251b87ea489e58bc1f708bb499e6ca4

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe

Filesize
214KB

MD5
a5d1f378c36c265be38650b03f0d54db

SHA1
c1926b6f65ca071350fd789eeab8236047685fbb

SHA256
e47f4488ed2fe8716b60f56c322d8cb8129161ceb90463ffbf44d65e186ff568

SHA512
1d3e477bec8592e0ddee7be70928330ca401d35fe233723d0c6191aa845e2d69f7c4ab6a2150002ea550d3cb70d205015cf833d109f90282a3c6ed31fb8596d7

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe

Filesize
215KB

MD5
4d43218547b642e27f8b300775e5987d

SHA1
b315f633707e163bf49af98dfacaa5563655f0c1

SHA256
9bcb4baf6677a08db3ff606e4e0eecefd73065095ebfeba05796ea92e7ad8ee1

SHA512
0e717105776f6b0ddc32376a8eef62de381c14a254c625d01a2b83791680f2ee9ba825210d8f2882f023ab6f8bdf54f539d490ae9938ed7b796adcf2346dca39

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe

Filesize
215KB

MD5
908d520a8c09fa15e9d06973b7bbde7c

SHA1
8b55c51295360e92e97fbcb86a187bcfd9992dab

SHA256
579708b5cc0f3f8e977aaacf33c2324b968c1cbf3787e87bd1c9d25fc444ca3c

SHA512
367c16c2b54b91a7308c15ea9279d9312fec97cb8be5d872bfc53e5b1f17f8e29f9b28aa62cb90fab9159104cbe74f29dbdfd152924a1ea8a9b92f3db7937747

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe

Filesize
215KB

MD5
15ba3fe426f6b048bce659ed01e638f3

SHA1
b6a0185974051af915bb94f8ed557f8e804a8666

SHA256
225b3040d9d5f43e9f46fbd214674728a5d2f8f04de742f4e1ec1cf486e54830

SHA512
bda48aba7ec4727c96246aebf3e8237216ae685bd68b65cfc341d2cdcbf13471eba5596dc071ce4d19f5b75bdd30b2aeb1a0e6dd3ba6f57478aab6e2875fefdc

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe

Filesize
216KB

MD5
e51a2944d4a3d7206b785a3628d858b2

SHA1
e524b42e909f47298a8db6478c316ee64c606a2a

SHA256
e5d0f58396ca899eebe90be4b1c451c7161356b916b32dddb7227d3ec54b340b

SHA512
6b493203bc7c5c2062dcde04f137f191e0e60733c4344e31819d2cbc9c66df6e612b950ad265bb5d8afb7a35579fe00b1682ea3ee6a04f65afab60dd93f316d2

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe

Filesize
216KB

MD5
0b15683f9164b9ae5857817fa657f42a

SHA1
b0c3f179ecba053644af51f33f5dae6bb61a86ce

SHA256
94187350c9d5faf43b0e937eb58aeb02f552b137a13de77342289eef95dcc511

SHA512
d9d9e64c89c01a7435f8c736369cca0be18c0e3709804f0bed83d0a8525d00f435073877ed572d10c004fbb5d691f3df0cdff67a1db363a802c9867b0802c534

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe

Filesize
216KB

MD5
fea51be22fdf29d4cb78ce7625e68fc6

SHA1
451da8fc93fbbb28c7cfa7a9711c0db4aeb4fc0b

SHA256
a2a31da58c80e43858cfa2cd8ec4149a1e320b481325b81b4cac004dda6913b1

SHA512
aec504e6bef4a7ee1489e5cccf092dba3e139ea454c620eadaa61c0612fb1cc3ecb462a8b57d108b59cd19c3aad9faddc6309173a5cf02a71914f9a6652efe60

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe

Filesize
216KB

MD5
950f8c991daef803439f3a5ea7069aaa

SHA1
b8d71c03bd40c41ed3fea11305d6e37a8382d661

SHA256
b9265a3597d9677f4afbd2385867caefb0f49c7a15f36e060961e93171b57424

SHA512
ab04735b31e6b46076c6f2d04ecbfbaf7acc052f439f509c025aaee0c20f1fca4dd1b3b50e8dad6db4ae829f309b8fe954419163e95a42eaabb34bd7b10ffabe

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe

Filesize
217KB

MD5
1f138c878d8bac16bdf4f417b7774e5b

SHA1
2d12048a393656281222c40bb8ce9451b9adfea3

SHA256
2f1cee3e10e67679a709fc8bab56e26182d67f57d2422338a001f70c4e4bacf1

SHA512
7663aa2530489767a0955428436ed99c08ce6b5262e4f9de06a2e9cc78cc6b046b4f708d99c7cff616f85bab4c8da4a9e0fb40ffde8a706e062919f1455fde40

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe

Filesize
217KB

MD5
e90f634aecedfcafeebda0ca37fbe834

SHA1
46f78582cc4848fedefc2ac409526eb59435be81

SHA256
8986864e29bbfb37a9c5fabbebefb73a5e9be52d929b33e45ba69e0eb65d401a

SHA512
3d8eb9f63a27000a723cb44aa75424c100e3aa95a2d2c8c4961387c76f3c3bfd91b77a2a09c007fb35b44362358c5f93a9b91b65746c8f59d5b70193b445ec86

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe

Filesize
218KB

MD5
666d2b9d217dd10d37c7d29a0f79ea6e

SHA1
b72cdf85da0bb9239474ff2052b786045fdab616

SHA256
4212d80f5a065b5b6c1266d398ed624bbd30d8ee30be059ab67eb481910d722f

SHA512
727e29552a1792ad235d0fb15a475521b2733be9f75d5c2e5c682af9bc0a628091e6ec569031198cf18fd0ceb5e45dc812f393622eae7b89f596594455d89190

Download Submit
\??\c:\users\admin\appdata\local\temp\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe

Filesize
218KB

MD5
92f0e7ffcd8de51d7a3cc21ba423ad97

SHA1
39e6b2a47c05f919cd92abcc21eae4c4f1761657

SHA256
964ad49dcadd36e5e57698f90e1b87518419aaf6d678e40ee9326cdc0e9877dc

SHA512
39148008b3c95623454f28179b3082924a471708ef37eb05011d558df6ae9ebf684938b12834b09984245d498318d21f16d74ad4dc16fe1567247ffff2fc3cff

Download Submit
memory/556-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1172-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1172-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1236-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1236-173-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-84-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1496-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1496-165-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-107-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2900-219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3028-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3028-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3100-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3152-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3152-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3220-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3220-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3288-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3484-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3496-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3788-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4320-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-124-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4456-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4928-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4928-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4996-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5000-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202m.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202y.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202j.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202r.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202u.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202l.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202p.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202d.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202h.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202o.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202w.exe\""	e053df206d5a39ddf436176f384afa886566e8ae69dd16b2c1536a8c441efdf3_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads