5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe
Size

326KB
MD5

2b8142469ec76f023611bd27e53074c6
SHA1

f9e3d9a1a7abefd77305cf14cc26512c439948b4
SHA256

5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11
SHA512

54f17fafb0da05a1a3d574815a7322eae0d42cc2877929bcea75483b1870ca2260c82e13309eb892d82ab5f0eafdc38dfa7bb4366722c2709e45eb052c5dd4d9
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIjyBrOd3U:WacxGfTMfQrjoziJJHIQH

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3088	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
2072	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
376	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
3824	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
4928	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
2560	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe
1320	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
3504	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
2360	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe
2836	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
3948	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
5084	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
5064	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
4028	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
3720	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
4400	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
1712	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
964	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
2988	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
5104	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
4428	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
4216	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
5096	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
1112	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
2660	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
4528	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/840-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x001c00000001e97e-5.dat	upx
behavioral2/memory/840-8-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3088-10-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3088-18-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0008000000023442-19.dat	upx
behavioral2/files/0x0008000000023445-28.dat	upx
behavioral2/files/0x0007000000023449-36.dat	upx
behavioral2/files/0x000700000002344a-47.dat	upx
behavioral2/memory/3824-53-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4928-56-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002344b-57.dat	upx
behavioral2/memory/376-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2072-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002344c-65.dat	upx
behavioral2/memory/2560-66-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1320-68-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3504-83-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002344d-77.dat	upx
behavioral2/files/0x000700000002344e-86.dat	upx
behavioral2/memory/3504-85-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002344f-95.dat	upx
behavioral2/memory/2360-96-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3948-114-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3948-112-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023451-115.dat	upx
behavioral2/files/0x0007000000023452-125.dat	upx
behavioral2/files/0x0007000000023453-134.dat	upx
behavioral2/memory/5084-131-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5084-122-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023450-105.dat	upx
behavioral2/memory/2836-106-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2836-97-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1320-75-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5064-136-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5064-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023454-146.dat	upx
behavioral2/memory/4028-144-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0008000000023446-155.dat	upx
behavioral2/memory/4400-163-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3720-152-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3720-156-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1712-174-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1712-172-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023456-175.dat	upx
behavioral2/files/0x0007000000023455-166.dat	upx
behavioral2/files/0x0007000000023457-184.dat	upx
behavioral2/memory/2988-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023458-193.dat	upx
behavioral2/memory/964-185-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023459-204.dat	upx
behavioral2/memory/5104-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2988-195-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4216-220-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4428-212-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4216-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002345b-224.dat	upx
behavioral2/files/0x000700000002345a-214.dat	upx
behavioral2/files/0x000700000002345c-231.dat	upx
behavioral2/memory/5096-233-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002345e-240.dat	upx
behavioral2/memory/1112-241-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2660-251-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002345f-250.dat	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 4af4c113176df5a8	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3088	840	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe	87
PID 840 wrote to memory of 3088	840	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe	87
PID 840 wrote to memory of 3088	840	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe	87
PID 3088 wrote to memory of 2072	3088	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe	88
PID 3088 wrote to memory of 2072	3088	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe	88
PID 3088 wrote to memory of 2072	3088	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe	88
PID 2072 wrote to memory of 376	2072	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe	89
PID 2072 wrote to memory of 376	2072	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe	89
PID 2072 wrote to memory of 376	2072	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe	89
PID 376 wrote to memory of 3824	376	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe	90
PID 376 wrote to memory of 3824	376	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe	90
PID 376 wrote to memory of 3824	376	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe	90
PID 3824 wrote to memory of 4928	3824	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe	91
PID 3824 wrote to memory of 4928	3824	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe	91
PID 3824 wrote to memory of 4928	3824	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe	91
PID 4928 wrote to memory of 2560	4928	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe	92
PID 4928 wrote to memory of 2560	4928	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe	92
PID 4928 wrote to memory of 2560	4928	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe	92
PID 2560 wrote to memory of 1320	2560	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe	93
PID 2560 wrote to memory of 1320	2560	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe	93
PID 2560 wrote to memory of 1320	2560	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe	93
PID 1320 wrote to memory of 3504	1320	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe	94
PID 1320 wrote to memory of 3504	1320	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe	94
PID 1320 wrote to memory of 3504	1320	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe	94
PID 3504 wrote to memory of 2360	3504	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe	95
PID 3504 wrote to memory of 2360	3504	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe	95
PID 3504 wrote to memory of 2360	3504	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe	95
PID 2360 wrote to memory of 2836	2360	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe	96
PID 2360 wrote to memory of 2836	2360	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe	96
PID 2360 wrote to memory of 2836	2360	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe	96
PID 2836 wrote to memory of 3948	2836	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe	97
PID 2836 wrote to memory of 3948	2836	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe	97
PID 2836 wrote to memory of 3948	2836	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe	97
PID 3948 wrote to memory of 5084	3948	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe	98
PID 3948 wrote to memory of 5084	3948	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe	98
PID 3948 wrote to memory of 5084	3948	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe	98
PID 5084 wrote to memory of 5064	5084	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe	99
PID 5084 wrote to memory of 5064	5084	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe	99
PID 5084 wrote to memory of 5064	5084	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe	99
PID 5064 wrote to memory of 4028	5064	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe	100
PID 5064 wrote to memory of 4028	5064	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe	100
PID 5064 wrote to memory of 4028	5064	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe	100
PID 4028 wrote to memory of 3720	4028	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe	101
PID 4028 wrote to memory of 3720	4028	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe	101
PID 4028 wrote to memory of 3720	4028	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe	101
PID 3720 wrote to memory of 4400	3720	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe	102
PID 3720 wrote to memory of 4400	3720	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe	102
PID 3720 wrote to memory of 4400	3720	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe	102
PID 4400 wrote to memory of 1712	4400	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe	103
PID 4400 wrote to memory of 1712	4400	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe	103
PID 4400 wrote to memory of 1712	4400	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe	103
PID 1712 wrote to memory of 964	1712	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe	104
PID 1712 wrote to memory of 964	1712	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe	104
PID 1712 wrote to memory of 964	1712	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe	104
PID 964 wrote to memory of 2988	964	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe	105
PID 964 wrote to memory of 2988	964	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe	105
PID 964 wrote to memory of 2988	964	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe	105
PID 2988 wrote to memory of 5104	2988	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe	106
PID 2988 wrote to memory of 5104	2988	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe	106
PID 2988 wrote to memory of 5104	2988	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe	106
PID 5104 wrote to memory of 4428	5104	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe	107
PID 5104 wrote to memory of 4428	5104	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe	107
PID 5104 wrote to memory of 4428	5104	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe	107
PID 4428 wrote to memory of 4216	4428	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe	108

C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe
"C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840
- \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
  c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3088
- - \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
    c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
      c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:376
    - - \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4216
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5096
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1112
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2660
        
        \??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe
        
        c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe

Filesize
326KB

MD5
b9a3fdb8011b157cbc48f891c4d8d91d

SHA1
cf209282a206bce7a41ef710425dfdd4e47b8c2c

SHA256
68957c2d4e3e786548d68f3ed3c7f0ad2af96bb73922a7161565b0ee7bdc4393

SHA512
7625cff9abcbed01508e2dbe8a3b6eb7375c41e7e4d68ec5c4a57c5be5cba7edbc53f4f3eb0884ba0d77d81b42c865cf32aaef24cb5600e1714af98d971f1371

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe

Filesize
327KB

MD5
00ceb23a791ab9ab7af6ac7d172aba4f

SHA1
dfbcfc5b9589cb69419b58fa19a3d515b5db6be1

SHA256
cba41f590271117287771f9019dda8709d2275665e138ae27d02adebea0f2b9a

SHA512
19e5d15a0a5f4ae3b7915c2c636e783f6eb63976bb16923834b20cd4556dd05c86222ea8176f665aac6dfd2e7bdf6a54a9634ebdf47de078a7f2e5b7f08ae94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe

Filesize
327KB

MD5
a723aaceb06e4dbe9707dbc6a9650d14

SHA1
407e26860fabefe365bbba774f4fbbf46e67ee58

SHA256
b232f66b2de01995f5e1a951e351776c48c52d383a9affd69fc820d1f1ef14b7

SHA512
4823e94765870ff1c476780aafcf023a9f58911f7b2500b51e1d76e5637318a3d3194c7467bdd60fb3d39366d910ef1089cbc227513a7ff2268d3d005bcd62f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe

Filesize
327KB

MD5
42b8fe8ac239b36462b0d52af491b845

SHA1
ea7db5c2f56d6bffae9874d74ea960ec2cd282c6

SHA256
be6923174d95a6ebce0656dbe1d29dd3a14fa415d9bf338da5dc3df728869fe4

SHA512
0beb4653e07c4bcb68401d9159f97eea65ff4a1f64a76b18aabafaee728c41dd04ca16b440208be323675927dc863250c24993c5e887337b4515efcab51ffb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe

Filesize
328KB

MD5
7c457667f921c5cea18517d080d1fa4c

SHA1
fc251aeb6ad601ce27771e4a2990579d20d39ac8

SHA256
874f35380c3664c63581a8f8bdbc0c807a9a739f34bcc191090ccbba3c923f31

SHA512
eb8ac1ef79d8785ee3c499596aa6cb5b8d54fb3a49807b787b9b4943ba621a1f1d677222e9530125dcac520a9146a6202e87cd3634bab804312a692cf5e91657

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe

Filesize
328KB

MD5
88152be3300c3707152d17c6367ad77f

SHA1
69ebadf53e3122d25b8c265d6625d930d665e260

SHA256
fa6317e7c98ed9a3a024d2b9f6dd2ba726789fad19734212564d429bc52e6f1b

SHA512
2ea1ffccbf4cfaeb8eee25551f41e95e173668a26fb72aaf07c86ba504672db49aa80c3e6b8cb5602eb074d73b2d131b0b73be6b5eda5b98a687d174b9163f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe

Filesize
329KB

MD5
2f906a7b32ba62f39d5ce3ae1243e0b4

SHA1
637e54bf412dd24e46d2c61d9a562706fc1916dd

SHA256
e3efecb672fdf40320d9dd8b95e04b31f3d700ee7f2da042c3b0fa53d390c16c

SHA512
c84bd461c1b52c9cfc8c479f83d5f53af322c2785f0d5d5bd6a2781f9b9bc1cf894d22b27be7dfc1a31d6fd799f41efe21c8acf4dcbdf2bcff8cd19f881d6809

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe

Filesize
330KB

MD5
237587fdbc27c391734dd7902a6cc8a1

SHA1
efab939c4c0dfcc3c405c770a6bcedd46bf65f56

SHA256
daa770fc8b40aaf1c9803bdd24cfa6ed855853874315caa44296117f027ac36d

SHA512
778599e8c8bb7a6aafed706ff441628e786e685fb7999ecfc8ba3381f6f213060f80ff3ed69c1f02754edf463cbd95e5c74e689d3b89aa613070f38a2d351f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe

Filesize
330KB

MD5
7488bf45b38e718f44994ec671f5ff77

SHA1
facf4741d643cda2e6ba50d1fc91d10a169bb83d

SHA256
16642a6e50732da859b33ac2428b137926a82453c726e24d795c6fc57cf45a05

SHA512
413c8adb6f38ebd5f1c5e7606223c6a2f2408f0ec49072e5045e22d76e7862f25a88ee80f2f374bd7b4c20ec3839eebf81b23ba554bd9d104314e08049f72d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe

Filesize
331KB

MD5
e694d324cec515ccfda54469d9888e62

SHA1
fe87365a9494c1e970b343b213af345fff2ad20c

SHA256
76c42ef4064764e68c0b42f61794dc2751a87331d9886c71113bdf0c9c0c31ae

SHA512
b9c957626f95e947ba87a51406d42c18f8d00e12befd0c9a9be0d2efafc987dde2ea5bae542c50176682606f13ecbb462955c8595582f7a3ace8d58e60977f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe

Filesize
332KB

MD5
08d62856d865b793984da1eea631a034

SHA1
4d1018ec47080257587f30abc3a33440c513b9b6

SHA256
725503412a7178d1ac71cf5ec7fbb0846d77eda5f7e5eebe8fa714f07fc97731

SHA512
56f0034e9822a8daa27e4f3085b522c8bcdde6ea48ce758d0dc7c9e932f64217948b3787f178451242a0b7cff024f9d1a73c559e310d69dfed69d01f7c6e8795

Download Submit
C:\Users\Admin\AppData\Local\Temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe

Filesize
332KB

MD5
a065ecba6cf9d70b5d3f246b497f9fb3

SHA1
a4e1f6b863dd989efeb083a929c6303bbb2e0cfd

SHA256
1669c1868e55bdf51c35169c7015c89f3015dea6d3c0c6eaa8ddd4595c7aed8b

SHA512
622d9a296e9df6eecf9c0bee1d7e406c259e099f8c32b187fbcc1a39cfd8ecb7ebd36a2b2d5270ec86aadf041c4ded41dc5e263769e8f13caef1b6e175bf748a

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe

Filesize
326KB

MD5
6e222e773b89da5506635547efce3a64

SHA1
2c93be3a2b7921b94cfb1d0d6a05c8fc87169742

SHA256
e5f39be346d8d4dd4224f63888c7bb6ca0f2aea78d8b4cd2b54574716fce888c

SHA512
a494dd1f3c078df46f5cab5e166e0d27bf643a46227e68baf14598be302e47bdc0705f79a5798f0f271d12a4bb2fdd32dfa90f73d61a3b28ef40708166c3a821

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe

Filesize
326KB

MD5
d3a6547d0a4dbf0e9995d584645be595

SHA1
3d777a9cbdb28d7085e20f25eb05369f50236054

SHA256
6efb07c191cee03b04b5c31bfa01960673e6f70a70433a69c046470e0d6ec0b2

SHA512
d2638988abfbbd77c2f507324c975e493727a72c0a3fe64ef6b7a26378acad59e9d8c1f4e21acdd1e9e9906213fddcfbefe8fab1fa44f3ab0bffddbc3550eb50

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe

Filesize
327KB

MD5
a8b5d245c4fc66be5e79f052a4ccd05e

SHA1
2830d1da62d6f2f5dc1fa341d5f53ae8b64c70cd

SHA256
ced9420e6d788f5e2a99bba6be4c1a2089937e8e23c8901017b4ae3ff62be250

SHA512
14d67a9b36a045d297fdf7bc21f0016ca51b4ce22efa822c386e4cbab740cbd0ff6ccbd4d691df0f1f2127df69e05551e3347ff054a1e286f8dac21d50070ddf

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe

Filesize
328KB

MD5
270bbf0308df883543fa244fff5c8b4b

SHA1
d5a70fb8e1f19ae904f51eb2678dfb0aeda15285

SHA256
6b73cdf3097573e499a617c56cfa8198de4a8cc0422780ecf1623c36e72f8790

SHA512
fd629f11d0544ca961e7de9c1504da2bc2fa6ee472d0c13dde83714b23babfc660538c258242fe16ce0f2fadc10c3c2b0fe98c1b5122d23767e12855fd8591a0

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe

Filesize
328KB

MD5
d5f7606a2b920f1bfad721093bae95c2

SHA1
595504eca189cf1834a7de6f7e1375340bbc745e

SHA256
6cc0e5aba4edf3fdbceaa0c1ac374ff31e5f5e3ecc1151f78d7e1daf58b63cb2

SHA512
8508e80eb25051a8c04f7f57ea314d2843d8673dcbe8ac8739ff6e3a0587501e1b42e14dd8f33de77a9ac40a029fb35da2c64be95da2686a24246b786dc7416f

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe

Filesize
328KB

MD5
eeee3bd54b5292ba78e73fb5a1abe0d0

SHA1
7c6ac28526d41a004397c0aa0a5d4b6d0bdae1d2

SHA256
f82e11f21115e9044364eaf136751a3cebfccdc58155681a851de8f8de2fd50a

SHA512
db519a2542ac2e2259f35e1d357220e7770eb8d5a879777bb29dd11c6e5186238bcdac99f818e110d736284e40a32bad452e4abb7564977d8e8a4b61adf621ca

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe

Filesize
329KB

MD5
7c39b84c190336dec4459421fc491f0c

SHA1
3ebce93d5ec449055d07cee1d127ec5279240670

SHA256
6c04491b2f8097c7a8ec749ec9f66a032c19ae729104b9c7163050c566fa93ec

SHA512
3d1b9058496c0a54df706470ac1c34c5c30fb5d5ed2c8c71be9bcae57d29712d0cc3c5fb63606a4421ca4e2d66e77c06ad8febe4cd9ec3920a06ffdbcc0fe088

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe

Filesize
329KB

MD5
dff9e9965caa25f3b02c759effe054d5

SHA1
e876c5ae3e6d4c4f2aecad219d860a6a5a67abfb

SHA256
25350db0e4c773932d830c270c4fac394016aa11fe2dce785588217136d2ba15

SHA512
45963b96211dea7e99ece17c9ccd178903f99c487d52f2507195592cbd5d033427a8b6bca1afa4154e8b5bf8e1f9d7e4d7282a1b9511a2a63479a1704b86e34e

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe

Filesize
329KB

MD5
01c6539e921cece47cf32b5cb034b29c

SHA1
31c59cfdc69880e96613f215f19388bd595049bb

SHA256
fbd456e69c16d2ef65ba4c61f0ab101a52ae81f883f4aa451971a8a8f9f0e51d

SHA512
53e798e82c81349241e88f04d4668364aa6468d9b76350972b47540a6c893dddcd1cd860c063da9f2f6ed8e39bd02c7a895925de0e0a4d1573804b801262262e

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe

Filesize
330KB

MD5
812a5d26d10a1156a2372949dd5b83af

SHA1
22bd1e7289f3cccdfe949d1274fccf8e2fb30872

SHA256
9965415c916546c2b7b9f1927d2f0fb1fc0a18c1712b1a39ed5ba2e3b1b7511f

SHA512
97dd5c701b17bfdbf8143c2f4f1e1667d007b1b06be740db4d4393ff8b9be745fecb6d621f0981c50f3d0a59b5ddc202c47d5c4161c733610081303bbc9a8d60

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe

Filesize
330KB

MD5
8391c6e77dc9fd73e37c6d292f94b212

SHA1
5b5ff243e734c2571506fca076aaec0c7e439432

SHA256
a6b5e623b6b91c7ef17deb00a0357a7ba23e0e5bcf2904961b6af9971948ae9a

SHA512
f583cebe9e5992572605f5b9ced217a2373a6a0947365d3b4cdfb13d74456678e580f58251ca69840c8ce9b4643b184d25d33fb90826ba8888a7527437b4a764

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe

Filesize
331KB

MD5
bda735d3b85530100aeec08d23ebb551

SHA1
52570a5985472a216a005c6517cd916d158e1a5d

SHA256
ab3f152f291e5c0a9e8df0a9e5a69bc53aaeb45fd024daa0bd1bfb37662a7bc0

SHA512
72543c99405965b48d0b9b4096a85c00369dca5cfea0be1a68cbe8d56816c96f053a6c894b056b3ffdf9e8e1e925a953dff3db5fe4e0b2eba23bc4fe9a466ab6

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe

Filesize
331KB

MD5
95ceb6163da1af85da0d3e13212941e9

SHA1
e9e1a73e28fbd63e0986464aef07e02157a9fbce

SHA256
00e274a5f94be5a47c61bfe4867e3959e9635d4dbed42ae0d34f402059ef8fb6

SHA512
a30eec79cb9ea19b9081218069dc89f59ce4c23f2e9015075bf4b51dbf9b3d0105af0346bda0937e15fed11d2d3b17cf05fa5c103bf53df3c64fcbd3fe0f0d60

Download Submit
\??\c:\users\admin\appdata\local\temp\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe

Filesize
331KB

MD5
ad8075b93a843fd7a8ea3021cf4d9b3a

SHA1
e2ca3655a58741ec211e987f7190fb288af6aaee

SHA256
bb5130bfeb8e5440212bd4b1c97f12762a383af07f57d68f026f6a66f673656d

SHA512
9338cafc7f86aef6e9a4902a52baecab3b7a8ade8797b2ef04cfa7168a65df1cc61003e1cc1eadf3d9193eb8d92e1169a146c85b461c4d202d9347dff00c316e

Download Submit
memory/376-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/840-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/840-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/964-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1112-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1320-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1320-75-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1712-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2072-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2836-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-195-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3504-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3504-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3720-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3720-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3824-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3948-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3948-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4028-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4400-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4428-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4528-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4928-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5084-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5084-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5096-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5104-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202l.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202j.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202q.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202u.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202a.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202p.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202d.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202t.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202y.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202i.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202f.exe\""	5722f4d052bd2d7172bf8e30d0f00024c0dd25065548b9aca948358556988f11_3202e.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads