44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Size

456KB
MD5

2d5e62dd31357049e5c12e49da045152
SHA1

86dd00ac9e9d76d00aad284b23994fae217f2add
SHA256

44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb
SHA512

105cb79acb1d19efff234c5a342023a58a063ea0ce5bf0ab8bce0b887f670f56ff5ee94c57560fe33fa2244a293ee71f106a2614e6637459ae39507636f3b3ca
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bl5hydz3SI:Os52hzpHq8eTi30yIQrDl5hydb

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 33 IoCs

resource	yara_rule
behavioral1/memory/2328-15-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1624-16-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1624-31-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1972-55-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2604-46-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1972-63-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2476-81-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2476-96-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2692-80-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2956-119-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1556-112-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2956-127-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2288-143-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2128-150-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2128-158-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2676-174-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/896-188-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1980-204-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2020-205-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2020-219-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/540-236-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2880-250-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2300-264-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/312-276-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1708-288-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/332-300-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1572-312-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1864-324-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1144-336-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1692-348-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2356-360-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2176-371-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2572-374-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 26 IoCs

pid	Process
1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
2300	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
312	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
1708	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
332	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
1572	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
1864	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
1144	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
1692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
2356	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
2176	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
2572	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
2300	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
2300	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
312	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
312	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
1708	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
1708	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
332	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
332	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
1572	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
1572	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
1864	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
1864	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
1144	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
1144	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
1692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
1692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
2356	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
2356	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
2176	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
2176	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = df132515b3ea8e93	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1624	2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	28
PID 2328 wrote to memory of 1624	2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	28
PID 2328 wrote to memory of 1624	2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	28
PID 2328 wrote to memory of 1624	2328	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	28
PID 1624 wrote to memory of 2604	1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	29
PID 1624 wrote to memory of 2604	1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	29
PID 1624 wrote to memory of 2604	1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	29
PID 1624 wrote to memory of 2604	1624	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	29
PID 2604 wrote to memory of 1972	2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	30
PID 2604 wrote to memory of 1972	2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	30
PID 2604 wrote to memory of 1972	2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	30
PID 2604 wrote to memory of 1972	2604	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	30
PID 1972 wrote to memory of 2692	1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	31
PID 1972 wrote to memory of 2692	1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	31
PID 1972 wrote to memory of 2692	1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	31
PID 1972 wrote to memory of 2692	1972	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	31
PID 2692 wrote to memory of 2476	2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	32
PID 2692 wrote to memory of 2476	2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	32
PID 2692 wrote to memory of 2476	2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	32
PID 2692 wrote to memory of 2476	2692	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	32
PID 2476 wrote to memory of 1556	2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	33
PID 2476 wrote to memory of 1556	2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	33
PID 2476 wrote to memory of 1556	2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	33
PID 2476 wrote to memory of 1556	2476	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	33
PID 1556 wrote to memory of 2956	1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	34
PID 1556 wrote to memory of 2956	1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	34
PID 1556 wrote to memory of 2956	1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	34
PID 1556 wrote to memory of 2956	1556	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	34
PID 2956 wrote to memory of 2288	2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	35
PID 2956 wrote to memory of 2288	2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	35
PID 2956 wrote to memory of 2288	2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	35
PID 2956 wrote to memory of 2288	2956	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	35
PID 2288 wrote to memory of 2128	2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	36
PID 2288 wrote to memory of 2128	2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	36
PID 2288 wrote to memory of 2128	2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	36
PID 2288 wrote to memory of 2128	2288	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	36
PID 2128 wrote to memory of 2676	2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	37
PID 2128 wrote to memory of 2676	2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	37
PID 2128 wrote to memory of 2676	2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	37
PID 2128 wrote to memory of 2676	2128	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	37
PID 2676 wrote to memory of 896	2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	38
PID 2676 wrote to memory of 896	2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	38
PID 2676 wrote to memory of 896	2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	38
PID 2676 wrote to memory of 896	2676	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	38
PID 896 wrote to memory of 1980	896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	39
PID 896 wrote to memory of 1980	896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	39
PID 896 wrote to memory of 1980	896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	39
PID 896 wrote to memory of 1980	896	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	39
PID 1980 wrote to memory of 2020	1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	40
PID 1980 wrote to memory of 2020	1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	40
PID 1980 wrote to memory of 2020	1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	40
PID 1980 wrote to memory of 2020	1980	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	40
PID 2020 wrote to memory of 540	2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	41
PID 2020 wrote to memory of 540	2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	41
PID 2020 wrote to memory of 540	2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	41
PID 2020 wrote to memory of 540	2020	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	41
PID 540 wrote to memory of 2880	540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	42
PID 540 wrote to memory of 2880	540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	42
PID 540 wrote to memory of 2880	540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	42
PID 540 wrote to memory of 2880	540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	42
PID 2880 wrote to memory of 2300	2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	43
PID 2880 wrote to memory of 2300	2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	43
PID 2880 wrote to memory of 2300	2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	43
PID 2880 wrote to memory of 2300	2880	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
"C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
  c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1624
- - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
    c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
      c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1972
    - - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2300
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:312
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1708
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:332
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1572
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1864
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1144
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1692
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2356
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2176
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe

Filesize
456KB

MD5
5c7a010b269421bd217d940207f995d8

SHA1
6d4663ed104ed4857564f9c51ef9440aaa95557e

SHA256
23b15fca6faa552cb30fc1d23542b71e240c3039f008cf97b9bb6e8dd3e2e1e2

SHA512
e744581c32a4eec64bd13ce4a9b858c664b00383806491a87a5470782a2f9878103840e78019bdab125bcb7e260f0b375a3a44d93f1ffc9f396ae286a5572908

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe

Filesize
458KB

MD5
2331cc02aa59d3c85d3360e900e55982

SHA1
76f7481db5619f38bc8850bd88ab69b93bc1b6fc

SHA256
3cc6fdf352326b4f5c8f2f30bae87057f56ceaf3b691fd320b11241175f10082

SHA512
37c8065fc5cc331bc03cf89b8da4511559355c89f4378dfd17166f547905b96fb4c17ca6b79d1ad783412cbffc07432f82ff5c0fe4246ad9f9decc37d6633692

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe

Filesize
456KB

MD5
fb3480df88bbb73956bc55fbffe372be

SHA1
6c31bae475350633c8168f6a71888959262d7f2e

SHA256
123e7a9dc51dcbdf8df60a6eee2ad1645a6a1ab9025ef78287bad2b5432f6e19

SHA512
22afd9a466d7d231132e91e41e54f1ab4783030e1aa27948537f5423c1ceb51775619bb5073df7703326e8ebbe5b6927a66c4fa33c39bc8eddc1bf9625937c21

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe

Filesize
457KB

MD5
aceabdf8ee754db2a09d1468dc8cee4f

SHA1
91c8fbd54a301bd0f4e057417528ce53fefbd4b7

SHA256
22e931e0409dc9049c0098a373fcd1983e8756245db0e6bc10acc5f48ccec5db

SHA512
c0479fa590deccdb4a6fcdc65b5d4d7f9ee71631e287a47ca45e668865218568f9365be3f1ab1e2839326f89e9790b173a958ac438a57f06cd28f38f9f131d3d

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe

Filesize
457KB

MD5
823a45853a1bab8f89634ca01df37318

SHA1
c9e316116fdf45493cfe276fcdc59f53a4098e88

SHA256
1c5de3c02f7304c9aefc273322f9f2e0bdedeabddeee8e92be79927f5b717048

SHA512
4e74bd32146081a42f7dabad6a403b5b84881a65b04fc506a00c07e18125572951afe2001f250a0df2631969c8f47fe99c67df593f455d0f29d2dbb54158c80e

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe

Filesize
457KB

MD5
f16d49ef25b0a6ce54014fc985231786

SHA1
8d36caae9a21ce0e3913789ac520aad1ad668065

SHA256
063fa604fb38ea533ec691ba962add384b3d3ef3efe8ce588dcd697fe77e3b19

SHA512
7744057d53c171bffe4fa88ce318b1e03fa1fcc8372e6f8de417b6ab79d3cd9905aad0979e659ba0f9ae594cf047bfdd80322b3b5e9a725d750e017804e5c66c

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe

Filesize
457KB

MD5
92a082e1567f7922437cf1eab9ad5916

SHA1
5a8fd3e239048a17a6ad5d79fcb3da198dc2127d

SHA256
4534ee750fe6eb4dae46175e7969bee96c1e5ca7fbcc9815b50d54171fd30950

SHA512
135d00df92ea4d63bb387d5880bb6bd4f245275971729cca253bbe096810885c2fdbaf85be98c33a87e457a3c2f30061b41cf0e91decb7cc738aa0bd970eb8ec

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe

Filesize
458KB

MD5
19cafa218a0d39302198fc6e68f88df7

SHA1
5268b46dd063338f3a56da7051fe9f1e9741dfc0

SHA256
303266b2c37e2e58c69463b577916d1ae2e5e4c23f7c387f0fc807e8c8d54c48

SHA512
18935373ab16c6778b8a881355896d467daf4379880eebeaaf6d87dc9d7219db6682d949a9e54d4dcd6e8921c1daab63af69d1cdc5214c74e93fa469a6af64b7

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe

Filesize
458KB

MD5
d3a8fa7ac016649bffb924a7eea4cc17

SHA1
21dfc01fee3fb6eba1a92b0b4bd6cc4f8c95aed6

SHA256
c1eca49c3020d67ef939bb9cb9dba1663ddae8c101380ac17f3b09fffac9285f

SHA512
7488846da5cc72b9733ec4b8e04d0ddb03b8cedaf72615e8877bd4ffd62151d5de230cac95e8afe2fcb4cc5a6520d274fec8c202c6306dd97d2bca48d63f9a2f

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe

Filesize
458KB

MD5
76add939be952c7c5a5318fc7ec5d0b9

SHA1
35c741c71b4c8efb1837ce779cc5df888b8f56aa

SHA256
750798556d9b2b2bbc80b4ec829791a3443387047f3c7faa566106e9dc67d53b

SHA512
b1087f69215ebe3b906dc8a74c10ee72021095c589889f916889b42a44c66ef94cbc9f1587825b2cf2b2a729e75ea81c37d69d2e7d2aea50599fb7c4156d4ab4

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe

Filesize
459KB

MD5
d20a82f15c8b4cd5d6bf9b75938ca58f

SHA1
4d51d53c3da6d5adc36e325d43b6eec97853a9d5

SHA256
6af1a8739ab2770833752df31273c4f90acad086da3f8e0ee0d2cff7229e8bf6

SHA512
247558eb7d8f385dd66280bd1cf8ab13f05618c6929aba93adf833bdcf1685d84ea76e684899d08a1bbae407de61afff5fedadc5232f3845c9db65e805631ebb

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe

Filesize
459KB

MD5
07e54267bbcd8d73c3df648eb5748d0a

SHA1
e8bbc12281a9ea50a3661e3a5149cede2f93d2ae

SHA256
b4402b4bd7168324d20ea0037433749e09d41107b5f1b568edb4b10071afec35

SHA512
5daa79266cee7e625ad9f9b18f79bc9781d422b0283b7d744badb874f56c34437931004e8cfd08a049302416ccc6dedc5b35a57248d5f2c89fb709f623321e31

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe

Filesize
459KB

MD5
5dcc6af975108536c3a708fadbc4ebc0

SHA1
fd3b33e4f366d3a6e74349ae6af69278031536c0

SHA256
61ecbf8dfff194c11941818f880e94388449bacc47a67a25bc2dbb509a0a9b9d

SHA512
87e0c95e56f07368e7aafd7d5870ef380e24dc2284bc8be199b2b75ee569ae59fdbf6ec8eddb94a5bad906c81a3044350ceb0595728ada8c28765be36577baeb

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe

Filesize
459KB

MD5
84ea34eb59dee1584be9478d79c46025

SHA1
6f67cb5e4fa56349c39de72d4208f19360ad5f58

SHA256
b4045ba5f4ae8bf783dcd3637658bba567b73e961e98be6f79da7d28c24f45a6

SHA512
c80a9a6fea10c7481bc0837c6fed0df901cc848d34d8c7bca1c1064f3fe10c7d0788e0e26b575463dc70f1b7e5d52368a21b5f702ff89b93fe6c31ff8bbd44d2

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe

Filesize
460KB

MD5
98b621bc8845d59cbbdd766188c94191

SHA1
1a4db0b253e6abba50c59865d6689ad6be5f316c

SHA256
cf8fae6923ee0d56168c78b9a27ef1d20fb56d4e0484d1cc8f9852fc0be9806a

SHA512
c13cdee84215ec62a9456e24138f042dbaea9824920a16a1899c6b5c7960b21dc01bfc649575db9778fec5d9d76cfb5d4a0ab7da5eb5b3e5cef50f2be60a8ed8

Download Submit
\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe

Filesize
460KB

MD5
9f14e389bfbbe59caa3832cf12e9ea2e

SHA1
98bd81725ebf1657d650348402a445ab134ad7e6

SHA256
a1855e03f98c14767370bc2ac7e3148a21d545e496ddfb7a83c8c0fc9574d4ff

SHA512
0b7f1e58a360f03ddccfdb387b832e142c751ff0f49be316df22cb90bc10cecbff5fa6a43ca508190d75eaeae6b7a51adb24467366085f94fbd2bbd08db1a947

Download Submit
memory/312-276-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/312-265-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/332-300-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/332-289-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/540-236-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/540-221-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/896-188-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1144-325-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1144-336-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1556-97-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1556-112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1572-301-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1572-312-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1624-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1624-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1692-348-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1692-337-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1708-277-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1708-288-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-324-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-313-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1972-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1972-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1980-204-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2020-219-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2020-205-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2128-158-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2128-150-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2176-371-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2288-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2300-252-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2300-264-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2328-8-0x0000000002740000-0x00000000027B9000-memory.dmp

Filesize
484KB

Download
memory/2328-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2328-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2356-349-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2356-360-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2476-81-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2476-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2572-374-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2572-372-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2604-47-0x0000000001D20000-0x0000000001D99000-memory.dmp

Filesize
484KB

Download
memory/2604-46-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2604-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2676-174-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2692-80-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2692-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2880-250-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2956-119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2956-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads