eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94

Analysis

max time kernel
62s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe
Size

278KB
MD5

a766c3cb5a1812c47aa352c89abc82b2
SHA1

95d876c4eca9c0401ce5b98d362eb01dd288c3eb
SHA256

eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94
SHA512

e97018843d0068b9d62b3efd5a40ac1899b426550e856b805caf63df0b5f1e45b5785d9d59a7d8c52171684b5280b9aa82a5534a866106dd10172d0561413512
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sX/zQI:ZtXMzqrllX7XwEEI

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
1388	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
3612	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
5060	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
4248	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe
4132	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
4524	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
1080	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
4276	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
4392	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
3676	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
4608	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
1908	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
4964	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
4572	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe
512	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
4064	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
4828	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
2996	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
1884	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
4404	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
1980	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
3184	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
1336	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
4852	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1208-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000c000000023b40-5.dat	upx
behavioral2/memory/1208-8-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3808-10-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3808-18-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1388-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5060-40-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3612-37-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5060-47-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4248-48-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4132-66-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4248-62-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4524-74-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1080-83-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4276-92-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-100.dat	upx
behavioral2/memory/3676-101-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4392-103-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3676-112-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1908-128-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4608-121-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4964-136-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/512-159-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4828-192-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4852-242-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1336-241-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3184-238-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1980-229-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4404-220-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4404-210-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1884-209-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2996-201-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4064-182-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/512-174-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4964-149-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/808-156-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4572-146-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = d77c3556b021d344	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3808	1208	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe	84
PID 1208 wrote to memory of 3808	1208	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe	84
PID 1208 wrote to memory of 3808	1208	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe	84
PID 3808 wrote to memory of 1388	3808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe	85
PID 3808 wrote to memory of 1388	3808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe	85
PID 3808 wrote to memory of 1388	3808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe	85
PID 1388 wrote to memory of 3612	1388	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe	86
PID 1388 wrote to memory of 3612	1388	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe	86
PID 1388 wrote to memory of 3612	1388	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe	86
PID 3612 wrote to memory of 5060	3612	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe	87
PID 3612 wrote to memory of 5060	3612	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe	87
PID 3612 wrote to memory of 5060	3612	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe	87
PID 5060 wrote to memory of 4248	5060	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe	88
PID 5060 wrote to memory of 4248	5060	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe	88
PID 5060 wrote to memory of 4248	5060	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe	88
PID 4248 wrote to memory of 4132	4248	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe	89
PID 4248 wrote to memory of 4132	4248	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe	89
PID 4248 wrote to memory of 4132	4248	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe	89
PID 4132 wrote to memory of 4524	4132	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe	90
PID 4132 wrote to memory of 4524	4132	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe	90
PID 4132 wrote to memory of 4524	4132	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe	90
PID 4524 wrote to memory of 1080	4524	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe	92
PID 4524 wrote to memory of 1080	4524	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe	92
PID 4524 wrote to memory of 1080	4524	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe	92
PID 1080 wrote to memory of 4276	1080	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe	93
PID 1080 wrote to memory of 4276	1080	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe	93
PID 1080 wrote to memory of 4276	1080	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe	93
PID 4276 wrote to memory of 4392	4276	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe	94
PID 4276 wrote to memory of 4392	4276	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe	94
PID 4276 wrote to memory of 4392	4276	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe	94
PID 4392 wrote to memory of 3676	4392	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe	96
PID 4392 wrote to memory of 3676	4392	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe	96
PID 4392 wrote to memory of 3676	4392	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe	96
PID 3676 wrote to memory of 4608	3676	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe	97
PID 3676 wrote to memory of 4608	3676	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe	97
PID 3676 wrote to memory of 4608	3676	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe	97
PID 4608 wrote to memory of 1908	4608	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe	99
PID 4608 wrote to memory of 1908	4608	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe	99
PID 4608 wrote to memory of 1908	4608	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe	99
PID 1908 wrote to memory of 4964	1908	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe	100
PID 1908 wrote to memory of 4964	1908	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe	100
PID 1908 wrote to memory of 4964	1908	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe	100
PID 4964 wrote to memory of 4572	4964	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe	101
PID 4964 wrote to memory of 4572	4964	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe	101
PID 4964 wrote to memory of 4572	4964	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe	101
PID 4572 wrote to memory of 808	4572	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe	102
PID 4572 wrote to memory of 808	4572	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe	102
PID 4572 wrote to memory of 808	4572	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe	102
PID 808 wrote to memory of 512	808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe	103
PID 808 wrote to memory of 512	808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe	103
PID 808 wrote to memory of 512	808	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe	103
PID 512 wrote to memory of 4064	512	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe	104
PID 512 wrote to memory of 4064	512	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe	104
PID 512 wrote to memory of 4064	512	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe	104
PID 4064 wrote to memory of 4828	4064	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe	105
PID 4064 wrote to memory of 4828	4064	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe	105
PID 4064 wrote to memory of 4828	4064	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe	105
PID 4828 wrote to memory of 2996	4828	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe	106
PID 4828 wrote to memory of 2996	4828	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe	106
PID 4828 wrote to memory of 2996	4828	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe	106
PID 2996 wrote to memory of 1884	2996	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe	107
PID 2996 wrote to memory of 1884	2996	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe	107
PID 2996 wrote to memory of 1884	2996	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe	107
PID 1884 wrote to memory of 4404	1884	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe	108

C:\Users\Admin\AppData\Local\Temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe
"C:\Users\Admin\AppData\Local\Temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208
- \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
  c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3808
- - \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
    c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
      c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3612
    - - \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4404
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1980
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3184
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1336
        
        \??\c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe
        
        c:\users\admin\appdata\local\temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe

Filesize
278KB

MD5
28e3cc58259628e1476cb14c11faad29

SHA1
5277b1ee0a42e321b021eb7dab4b258370ab3775

SHA256
71d74f301d8e767f5e92c8e2dc1e008ca574c66ba491a1ff02f9d30536d0d68f

SHA512
9d3ca50befebeff3464ec714fb4f9915e6235217f9778cce03dc4e3e94f278bbbd8dcd5b4e68d05707c1c62c1e76c980955be8e714a5a7928b8f14cdb01678c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe

Filesize
278KB

MD5
5b7a0ddc6481f269fcaa9442527cd6f7

SHA1
20154efef3a50f6decb9079add6b5eb2056d6705

SHA256
167de57e2134a44d6c7e3c1acfca2755526a982232d14e1fa426c24baa1e5948

SHA512
d52ab0baa7c9ca86420dd0704c2ace810d9dd7ade2e1795313bde9737949d9368ba95aa62d7d53f7022c10e6985e0ed751c687df450972c9553065dbf07a23d4

Download Submit
memory/512-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/512-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/808-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1080-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1208-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1336-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1884-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1908-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1980-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2996-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3184-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3612-37-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3676-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3676-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3808-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3808-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4064-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4132-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4248-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4276-92-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4392-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4404-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4404-210-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4572-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4852-242-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5060-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5060-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202t.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202a.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202k.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202n.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202r.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202p.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202i.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202w.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202h.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202y.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202e.exe\""	eb28628aa5e94cb3c41a0ca100446894988a1714f39c50c6eeb278afe6082e94_3202d.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads