0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
Size

381KB
MD5

8653e55e4fbd0dd5bbb07641d0eb13cf
SHA1

7ddffdb0ebf69041044674dccbc6711a9fff6b3e
SHA256

0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8
SHA512

5f20116d3c749cd8b9292549b1e5f8f9dcf67b5a523d22fa1d0c87bd90c672eea7f238607d1158b4a29e551be05f5b820ac72256ef1cbd0867fff968bc4d8af5
SSDEEP

6144:wt5xoNthj0I2aR1zmYiHXwfSZ4sXeFHhc:aTst31zji3w3A

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
2244	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
1632	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
2636	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
2300	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
2456	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
380	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
3008	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
1552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
764	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
2132	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
3056	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
2244	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
2244	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
1632	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
1632	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
2636	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
2636	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
2300	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
2300	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
2456	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
2456	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
380	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
380	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
3008	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
3008	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
1552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
1552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
764	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
764	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
2132	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
2132	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c28cd5207d97e1ab	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2936	1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe	28
PID 1460 wrote to memory of 2936	1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe	28
PID 1460 wrote to memory of 2936	1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe	28
PID 1460 wrote to memory of 2936	1460	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe	28
PID 2936 wrote to memory of 2756	2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe	29
PID 2936 wrote to memory of 2756	2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe	29
PID 2936 wrote to memory of 2756	2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe	29
PID 2936 wrote to memory of 2756	2936	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe	29
PID 2756 wrote to memory of 2572	2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe	30
PID 2756 wrote to memory of 2572	2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe	30
PID 2756 wrote to memory of 2572	2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe	30
PID 2756 wrote to memory of 2572	2756	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe	30
PID 2572 wrote to memory of 2552	2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe	31
PID 2572 wrote to memory of 2552	2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe	31
PID 2572 wrote to memory of 2552	2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe	31
PID 2572 wrote to memory of 2552	2572	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe	31
PID 2552 wrote to memory of 2668	2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe	32
PID 2552 wrote to memory of 2668	2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe	32
PID 2552 wrote to memory of 2668	2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe	32
PID 2552 wrote to memory of 2668	2552	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe	32
PID 2668 wrote to memory of 2472	2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe	33
PID 2668 wrote to memory of 2472	2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe	33
PID 2668 wrote to memory of 2472	2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe	33
PID 2668 wrote to memory of 2472	2668	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe	33
PID 2472 wrote to memory of 2544	2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe	34
PID 2472 wrote to memory of 2544	2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe	34
PID 2472 wrote to memory of 2544	2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe	34
PID 2472 wrote to memory of 2544	2472	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe	34
PID 2544 wrote to memory of 2888	2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe	35
PID 2544 wrote to memory of 2888	2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe	35
PID 2544 wrote to memory of 2888	2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe	35
PID 2544 wrote to memory of 2888	2544	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe	35
PID 2888 wrote to memory of 2732	2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe	36
PID 2888 wrote to memory of 2732	2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe	36
PID 2888 wrote to memory of 2732	2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe	36
PID 2888 wrote to memory of 2732	2888	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe	36
PID 2732 wrote to memory of 2896	2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe	37
PID 2732 wrote to memory of 2896	2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe	37
PID 2732 wrote to memory of 2896	2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe	37
PID 2732 wrote to memory of 2896	2732	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe	37
PID 2896 wrote to memory of 1976	2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe	38
PID 2896 wrote to memory of 1976	2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe	38
PID 2896 wrote to memory of 1976	2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe	38
PID 2896 wrote to memory of 1976	2896	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe	38
PID 1976 wrote to memory of 1916	1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe	39
PID 1976 wrote to memory of 1916	1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe	39
PID 1976 wrote to memory of 1916	1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe	39
PID 1976 wrote to memory of 1916	1976	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe	39
PID 1916 wrote to memory of 1664	1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe	40
PID 1916 wrote to memory of 1664	1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe	40
PID 1916 wrote to memory of 1664	1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe	40
PID 1916 wrote to memory of 1664	1916	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe	40
PID 1664 wrote to memory of 784	1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe	41
PID 1664 wrote to memory of 784	1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe	41
PID 1664 wrote to memory of 784	1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe	41
PID 1664 wrote to memory of 784	1664	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe	41
PID 784 wrote to memory of 2200	784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe	42
PID 784 wrote to memory of 2200	784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe	42
PID 784 wrote to memory of 2200	784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe	42
PID 784 wrote to memory of 2200	784	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe	42
PID 2200 wrote to memory of 2244	2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe	43
PID 2200 wrote to memory of 2244	2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe	43
PID 2200 wrote to memory of 2244	2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe	43
PID 2200 wrote to memory of 2244	2200	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
"C:\Users\Admin\AppData\Local\Temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460
- \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
  c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
    c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
      c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2244
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1632
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2636
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2300
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2456
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:380
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:3008
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1552
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:764
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2132
        
        \??\c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe
        
        c:\users\admin\appdata\local\temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe

Filesize
381KB

MD5
0417ce8d3abfdfb8bcec975d00a17813

SHA1
000689594b79ee7499f43434b931dcb6a007ea8a

SHA256
9617b918deff5276a31526d7d80cf9485b8636d537944118fd260e94087c9fa9

SHA512
027a594c618ab079f579538e4a57f5430907082aee8a45debd2c9cba58719a71c64a2268e4a8f7eadb4700ca9d9e142e9f265aa9b5cf24a9a4119574b3784490

Download Submit
\Users\Admin\AppData\Local\Temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe

Filesize
381KB

MD5
382a151225f4d3aa4c4b41d89dc4e320

SHA1
96c2cdcf3600d3da6a5f85e58ebc3cca1cf00e28

SHA256
f7816363f55688e2cba23cb7249438fed1f26895a9f44b9f2d6ef9b8ee032eef

SHA512
dfe8f0407a63f97687ad4dfe957c2d2028dbe8aa4cbcced3406eaec86ee3c76af04e74fe4064600fc78c5571422b3a1b8b8a6129c2a3842b73519c9a759afcd3

Download Submit
\Users\Admin\AppData\Local\Temp\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe

Filesize
381KB

MD5
e7faf49892180eec72c9c6d5b4056b15

SHA1
5636b1071e32d6eeca34c53f4947fc513edc3ad9

SHA256
38417270b7252c07dc4a185a7954d15dfb86f070a431f6e822cd6815304d68de

SHA512
9979f226ed844a34bdd6b3584a4a84723ec8be0b865337b15dbea3616cb3327147fa9ccf851cc35396cee57038cc9af57b555ff4763bc714d06939750cd03e61

Download Submit

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202h.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202m.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202p.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202v.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202u.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202s.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202y.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202d.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202g.exe\""	0445b770de12829d2473904bd012cd58433aabf7ff7f89a65e54f0f9d61835c8_3202f.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads