4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe
Size

240KB
MD5

6d2770645051295926cebadd69c60622
SHA1

f7b5a0ac347013b1596d9ef8b19a77ba09b5d6c2
SHA256

4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3
SHA512

b92f19921687d1f182347a20faf07d23e23593640ba42dc68a64060a6191835a65ea2f605378a45fd244c508c160e94058bb03d6f5bf881078f2379e8d97310a
SSDEEP

6144:9hbZ5hMTNFf8LAurlEzAX7o5hn8wVSZ2sX5:vtXMzqrllX7618w

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4496	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
4124	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
2128	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe
844	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
3204	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
2952	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
3112	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
1820	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
1964	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
4652	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
3836	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
3420	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
4428	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
4628	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe
1940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
3776	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
876	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
1276	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
2072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
3940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
3288	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
512	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
4988	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
2780	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
4128	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
736	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 366260952afcd9ed	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4496	5072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe	84
PID 5072 wrote to memory of 4496	5072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe	84
PID 5072 wrote to memory of 4496	5072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe	84
PID 4496 wrote to memory of 4124	4496	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe	85
PID 4496 wrote to memory of 4124	4496	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe	85
PID 4496 wrote to memory of 4124	4496	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe	85
PID 4124 wrote to memory of 2128	4124	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe	86
PID 4124 wrote to memory of 2128	4124	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe	86
PID 4124 wrote to memory of 2128	4124	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe	86
PID 2128 wrote to memory of 844	2128	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe	87
PID 2128 wrote to memory of 844	2128	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe	87
PID 2128 wrote to memory of 844	2128	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe	87
PID 844 wrote to memory of 3204	844	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe	88
PID 844 wrote to memory of 3204	844	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe	88
PID 844 wrote to memory of 3204	844	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe	88
PID 3204 wrote to memory of 2952	3204	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe	89
PID 3204 wrote to memory of 2952	3204	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe	89
PID 3204 wrote to memory of 2952	3204	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe	89
PID 2952 wrote to memory of 3112	2952	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe	90
PID 2952 wrote to memory of 3112	2952	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe	90
PID 2952 wrote to memory of 3112	2952	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe	90
PID 3112 wrote to memory of 1820	3112	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe	91
PID 3112 wrote to memory of 1820	3112	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe	91
PID 3112 wrote to memory of 1820	3112	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe	91
PID 1820 wrote to memory of 1964	1820	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe	92
PID 1820 wrote to memory of 1964	1820	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe	92
PID 1820 wrote to memory of 1964	1820	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe	92
PID 1964 wrote to memory of 4652	1964	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe	93
PID 1964 wrote to memory of 4652	1964	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe	93
PID 1964 wrote to memory of 4652	1964	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe	93
PID 4652 wrote to memory of 3836	4652	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe	94
PID 4652 wrote to memory of 3836	4652	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe	94
PID 4652 wrote to memory of 3836	4652	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe	94
PID 3836 wrote to memory of 3420	3836	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe	95
PID 3836 wrote to memory of 3420	3836	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe	95
PID 3836 wrote to memory of 3420	3836	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe	95
PID 3420 wrote to memory of 4428	3420	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe	96
PID 3420 wrote to memory of 4428	3420	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe	96
PID 3420 wrote to memory of 4428	3420	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe	96
PID 4428 wrote to memory of 4628	4428	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe	97
PID 4428 wrote to memory of 4628	4428	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe	97
PID 4428 wrote to memory of 4628	4428	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe	97
PID 4628 wrote to memory of 1940	4628	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe	98
PID 4628 wrote to memory of 1940	4628	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe	98
PID 4628 wrote to memory of 1940	4628	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe	98
PID 1940 wrote to memory of 3776	1940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe	99
PID 1940 wrote to memory of 3776	1940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe	99
PID 1940 wrote to memory of 3776	1940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe	99
PID 3776 wrote to memory of 876	3776	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe	100
PID 3776 wrote to memory of 876	3776	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe	100
PID 3776 wrote to memory of 876	3776	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe	100
PID 876 wrote to memory of 1276	876	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe	101
PID 876 wrote to memory of 1276	876	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe	101
PID 876 wrote to memory of 1276	876	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe	101
PID 1276 wrote to memory of 2072	1276	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe	102
PID 1276 wrote to memory of 2072	1276	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe	102
PID 1276 wrote to memory of 2072	1276	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe	102
PID 2072 wrote to memory of 3940	2072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe	103
PID 2072 wrote to memory of 3940	2072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe	103
PID 2072 wrote to memory of 3940	2072	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe	103
PID 3940 wrote to memory of 3288	3940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe	104
PID 3940 wrote to memory of 3288	3940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe	104
PID 3940 wrote to memory of 3288	3940	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe	104
PID 3288 wrote to memory of 512	3288	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe	105

C:\Users\Admin\AppData\Local\Temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe
"C:\Users\Admin\AppData\Local\Temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
  c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4496
- - \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
    c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe
      c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2128
    - - \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
      - \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:512
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4988
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2780
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4128
        
        \??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe
        
        c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe

Filesize
240KB

MD5
2a195b77ea9a76385f15111cd4d1a38f

SHA1
92b53e711d445886251f1d121f463e132f1fccd1

SHA256
3e221fb0dfd01e93df68ebee89bac2a7c1d1bdbede2d95fb3908330074176c4a

SHA512
f58aebfee5b32f7a014eabad0bbc3e9cf09dec5980b5af05ff0d5cad179cd549c29052251133991cde806fb9e204427eb4e7f651cdcccc10488528af661fca8f

Download Submit
\??\c:\users\admin\appdata\local\temp\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe

Filesize
240KB

MD5
ac2733fb66aca223a546e99dc8b21f5f

SHA1
ee1f1eb6fe7af9d8f50f9317c9504ea498c4b97e

SHA256
b379dd4f85bf84f2d6da4b7d3969e4f730398f03ebc8b2ab708cbe16f618c6be

SHA512
fa7969d87ada7517ddb6be1bb1f5f8d0659f920acb79f58ff87d6893d7d66c732116d7fdaea29599dfcdc4ae82ee612da64851ce01c7e7812d3889e483c93a19

Download Submit
memory/512-212-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/512-216-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/736-247-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/844-44-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/876-165-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1276-174-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1276-184-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1820-80-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1820-251-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1940-150-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1940-141-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1964-252-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1964-84-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2072-178-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2128-36-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2780-236-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2780-232-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2952-56-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2952-249-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3112-71-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3112-250-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3204-63-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3204-52-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3288-205-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3420-112-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3420-128-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3776-159-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3836-108-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3836-118-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3940-196-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3940-193-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4124-28-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4124-18-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4128-244-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4128-242-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4428-122-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4496-248-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4496-15-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4628-132-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4652-93-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4652-102-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4988-226-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4988-222-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5072-0-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/5072-9-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202v.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202g.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202l.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202y.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202d.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202t.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202j.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202s.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202p.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202a.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202c.exe\""	4401098d4daa56638c9a0ae3970b3e6b36d607d9d5315c93c2149524a1e270e3_3202b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads