44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb

Analysis

max time kernel
139s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Size

456KB
MD5

2d5e62dd31357049e5c12e49da045152
SHA1

86dd00ac9e9d76d00aad284b23994fae217f2add
SHA256

44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb
SHA512

105cb79acb1d19efff234c5a342023a58a063ea0ce5bf0ab8bce0b887f670f56ff5ee94c57560fe33fa2244a293ee71f106a2614e6637459ae39507636f3b3ca
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bl5hydz3SI:Os52hzpHq8eTi30yIQrDl5hydb

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 40 IoCs

resource	yara_rule
behavioral2/memory/4272-27-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2920-21-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1920-16-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4272-40-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/912-44-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1836-41-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1836-36-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/912-54-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/656-65-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/656-55-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/616-75-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4760-82-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4268-90-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4268-95-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2340-106-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1488-127-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4688-117-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1488-115-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/800-135-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1416-146-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/5000-158-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1540-159-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1540-167-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3308-179-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2196-189-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1840-209-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1840-207-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1224-212-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1224-222-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1040-198-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1088-238-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4516-260-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4628-264-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4516-274-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4628-276-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4004-278-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4768-252-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4768-249-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2024-248-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2024-236-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 26 IoCs

pid	Process
2920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
4272	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
1836	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
912	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
656	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
616	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
4760	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
4268	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
2340	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
4688	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
1488	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
800	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
1416	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
5000	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
1540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
3308	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
2196	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
1040	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
1840	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
1224	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
1088	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
2024	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
4768	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
4516	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
4628	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
4004	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = a1d6fe70dadad412	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2920	1920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	85
PID 1920 wrote to memory of 2920	1920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	85
PID 1920 wrote to memory of 2920	1920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe	85
PID 2920 wrote to memory of 4272	2920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	86
PID 2920 wrote to memory of 4272	2920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	86
PID 2920 wrote to memory of 4272	2920	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe	86
PID 4272 wrote to memory of 1836	4272	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	87
PID 4272 wrote to memory of 1836	4272	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	87
PID 4272 wrote to memory of 1836	4272	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe	87
PID 1836 wrote to memory of 912	1836	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	88
PID 1836 wrote to memory of 912	1836	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	88
PID 1836 wrote to memory of 912	1836	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe	88
PID 912 wrote to memory of 656	912	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	89
PID 912 wrote to memory of 656	912	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	89
PID 912 wrote to memory of 656	912	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe	89
PID 656 wrote to memory of 616	656	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	91
PID 656 wrote to memory of 616	656	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	91
PID 656 wrote to memory of 616	656	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe	91
PID 616 wrote to memory of 4760	616	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	92
PID 616 wrote to memory of 4760	616	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	92
PID 616 wrote to memory of 4760	616	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe	92
PID 4760 wrote to memory of 4268	4760	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	93
PID 4760 wrote to memory of 4268	4760	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	93
PID 4760 wrote to memory of 4268	4760	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe	93
PID 4268 wrote to memory of 2340	4268	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	95
PID 4268 wrote to memory of 2340	4268	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	95
PID 4268 wrote to memory of 2340	4268	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe	95
PID 2340 wrote to memory of 4688	2340	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	96
PID 2340 wrote to memory of 4688	2340	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	96
PID 2340 wrote to memory of 4688	2340	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe	96
PID 4688 wrote to memory of 1488	4688	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	98
PID 4688 wrote to memory of 1488	4688	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	98
PID 4688 wrote to memory of 1488	4688	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe	98
PID 1488 wrote to memory of 800	1488	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	99
PID 1488 wrote to memory of 800	1488	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	99
PID 1488 wrote to memory of 800	1488	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe	99
PID 800 wrote to memory of 1416	800	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	100
PID 800 wrote to memory of 1416	800	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	100
PID 800 wrote to memory of 1416	800	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe	100
PID 1416 wrote to memory of 5000	1416	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	101
PID 1416 wrote to memory of 5000	1416	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	101
PID 1416 wrote to memory of 5000	1416	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe	101
PID 5000 wrote to memory of 1540	5000	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	102
PID 5000 wrote to memory of 1540	5000	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	102
PID 5000 wrote to memory of 1540	5000	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe	102
PID 1540 wrote to memory of 3308	1540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	103
PID 1540 wrote to memory of 3308	1540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	103
PID 1540 wrote to memory of 3308	1540	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe	103
PID 3308 wrote to memory of 2196	3308	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe	104
PID 3308 wrote to memory of 2196	3308	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe	104
PID 3308 wrote to memory of 2196	3308	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe	104
PID 2196 wrote to memory of 1040	2196	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe	105
PID 2196 wrote to memory of 1040	2196	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe	105
PID 2196 wrote to memory of 1040	2196	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe	105
PID 1040 wrote to memory of 1840	1040	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe	106
PID 1040 wrote to memory of 1840	1040	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe	106
PID 1040 wrote to memory of 1840	1040	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe	106
PID 1840 wrote to memory of 1224	1840	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe	107
PID 1840 wrote to memory of 1224	1840	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe	107
PID 1840 wrote to memory of 1224	1840	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe	107
PID 1224 wrote to memory of 1088	1224	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe	108
PID 1224 wrote to memory of 1088	1224	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe	108
PID 1224 wrote to memory of 1088	1224	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe	108
PID 1088 wrote to memory of 2024	1088	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe	109

C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
"C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1920
- \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
  c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2920
- - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
    c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
      c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1836
    - - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
      - \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2024
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4768
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4516
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4628
        
        \??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
        
        c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe

Filesize
456KB

MD5
5c7a010b269421bd217d940207f995d8

SHA1
6d4663ed104ed4857564f9c51ef9440aaa95557e

SHA256
23b15fca6faa552cb30fc1d23542b71e240c3039f008cf97b9bb6e8dd3e2e1e2

SHA512
e744581c32a4eec64bd13ce4a9b858c664b00383806491a87a5470782a2f9878103840e78019bdab125bcb7e260f0b375a3a44d93f1ffc9f396ae286a5572908

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe

Filesize
456KB

MD5
fb3480df88bbb73956bc55fbffe372be

SHA1
6c31bae475350633c8168f6a71888959262d7f2e

SHA256
123e7a9dc51dcbdf8df60a6eee2ad1645a6a1ab9025ef78287bad2b5432f6e19

SHA512
22afd9a466d7d231132e91e41e54f1ab4783030e1aa27948537f5423c1ceb51775619bb5073df7703326e8ebbe5b6927a66c4fa33c39bc8eddc1bf9625937c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe

Filesize
457KB

MD5
92a082e1567f7922437cf1eab9ad5916

SHA1
5a8fd3e239048a17a6ad5d79fcb3da198dc2127d

SHA256
4534ee750fe6eb4dae46175e7969bee96c1e5ca7fbcc9815b50d54171fd30950

SHA512
135d00df92ea4d63bb387d5880bb6bd4f245275971729cca253bbe096810885c2fdbaf85be98c33a87e457a3c2f30061b41cf0e91decb7cc738aa0bd970eb8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe

Filesize
458KB

MD5
2645d35de60328f4f4bd41ade1029625

SHA1
9f1755f47f05681ac99e63dd45d557543dcacd77

SHA256
60105a31169d84cf5e69822f995111d70ae3960f5cc49503439a850236da3d69

SHA512
9a6d1c6378e6279b75df68cc1865c7f34f2bfcd1ae5cb771f1a0bc8ead39e1af4d891e86c68e7d096e7fce318aa130b32979fcbe1de565de5ac7d86da57ceb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe

Filesize
458KB

MD5
d56b0249abbf1198654ba03492a1524d

SHA1
9501cbc54fb5b609c51d7baa8998a402070c8370

SHA256
d52905bafc1e2e7936fb864910599a3f2a4b5002828dc58359bf691e25db842b

SHA512
9ae88e0fec6f454f986a52081db034eeaa88a2705697235fbb7975afdc9d45480bde4a9ba555a36a844d076f2a6e86246a493467005568005f859a55c74a2855

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe

Filesize
458KB

MD5
9b75ccd474a846c0dd5fac24ca5396fa

SHA1
2231c0079044e10a74d7359bbe9828120356ef38

SHA256
6ee7ff68e63953f5bd18a7f747eb64989bbf77d65e032e35c78d364a5608c08c

SHA512
094fb7be754044abe93e3e484a57d9549e8960d1ecc70e8e38194a7609b15178f6fa1f517d1b78d7713c77f28bf09330c2e28f4407c1299b11d7e5185c8868c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe

Filesize
458KB

MD5
474c054de762f74a17fb73807315495e

SHA1
d6b4c79b6a51110bbeea72f3b485b3a829a95b9b

SHA256
94a196ba8a098583df215afac170f4800413ab8036703c0acb143d0058fb5845

SHA512
0953d5fc211ccafda0136fb4bf4669eb934868782f5802ff84e7a35630e736c555d4382997c38eaf34c1d6a9aaa1b2c8aaed902ae02c7ee8480a636c65db6626

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe

Filesize
459KB

MD5
aac551e8d64bd6bc327a8573032d1cba

SHA1
b3f38aa8b119856a8bebe39da0837b43e6577dd2

SHA256
013245bd787f9bdce39cbb3b0fb0d35a856d78c146b006fcf5035eee285fd10d

SHA512
68d8e912d42cf922770a3e7328aa9ec04152f8e27e9e848a6bacc7fec27b4f6ddab0683a494d9e684dbbeaf9bec09b045a7a7d79ffca2ea34aeae25f767bc54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe

Filesize
459KB

MD5
7728894665cf92b6e5f3870353947823

SHA1
6cfcdb949184587158261cfd5d17f8c1d1ca7d8c

SHA256
153ca50e7bec4fb2c504ae2c6e5626cf309a008028db42bf8b7d70984dfa9178

SHA512
4920793604c97834be46903bbc89198935e1fab043ba47d03bfed665124407c30c867e137af4596157f9a2786e09c8ae473979326f15e5a053de1652cbab4adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe

Filesize
460KB

MD5
12cc7a4ae47004d008fa35460487bfb5

SHA1
e8a1d17e60196d8675db0a6cf0d6471d316a4558

SHA256
c025d215ae57361668f46b34f285f538c9671c8460ef1f41eaf5a27148d29986

SHA512
b9dbcb52ca84b8c7f5604885668f89b212b3a9a274fd014f9d1adbcd84cf1f5f3bc34856f9a11b2be98454b1e15c6f46f9f15f07be2a8d9ffa8f45fae6709730

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe

Filesize
460KB

MD5
04600280babb6154f4011cd668307a75

SHA1
423607866f59f67480070f1ecf6bb614b882afee

SHA256
a131eb6ff0f3a63b63087a82d43b7566cc7238bb64035746eba4b092880fdf4d

SHA512
18b54440794f68749791949023b94c9ea59d5d748606370157d8c1e4c0c8ab47f8ec1a390796185b74376896613003b7019e2133651117a981a43db2b8b2430f

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe

Filesize
460KB

MD5
f70b184284b86b6a0261ae90c1204de6

SHA1
f783cc0f5d1c437644a79c704d7e8d6c01a8b4db

SHA256
fae6dbfe0932b596c5108e5a7506b7fb4a55fa67ff19580d454c086e50986d52

SHA512
05cefc1034ea805356fbcd9d51dfa4858a600a6307f0049ef0667bc5cec6ae625d9a3ab7440e2a972a115c855dc6368d5560474d8f8acf493a51a739dd5d438d

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe

Filesize
460KB

MD5
e8162704f05f660f185b636a9089152a

SHA1
81c6a6a4348298eda1019593d2e91f8217f3f4be

SHA256
dc62162f715fe4f69d5635c740cfa4947316f220667959162e767cf1875c94bd

SHA512
76f4782a972b27c9e4b6f228eca833b008b3c4195c3457015cd2438accbd3dc4f39e960dbdeb9365f251ce62333d24de8ee04f7f6ff89824a4f882fc4bd2d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe

Filesize
461KB

MD5
9c468264e2320269ad557c27fa77c2da

SHA1
94c32175af8aab59f0f2560dc9fcb3ac71131dbe

SHA256
abd5624c71e6e6b30d3f45e57dadcf9caf3329786125b3809d4e0aa6496a1330

SHA512
1dab878e76ca5e05762cab8f58be025debf6354bafdbd3b4e0e63e1fa8e60fc373440454d87d9415c2d81a8a75576e808c49a07cdf2b49c8d6a57819fdcf534c

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe

Filesize
461KB

MD5
773ec85c53331bb8247cab480c93cb43

SHA1
f17bf9f27df92038b0e0e2a188bc3926fa201526

SHA256
2049fb8491f15eacf469f8763fddf2b4a90d25ef40babc2ec9ab9102ca63dcdb

SHA512
dd9459525f80bc7b477f0e30cffae93a1436911bc7fbd824d2e39549f5e7cbe9d91932f332cd746dceb9ac7517313b77d233000dc2e63e22bd2564fa265e8e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe

Filesize
461KB

MD5
ed66f8439f7797d559ce9686d57b4f07

SHA1
3b9776fc4b36f68b80884e45c0811374cad1e0d6

SHA256
c56d1f4a47f9e0ed680f759d574601e795c57eec1f2ae6ce83a0daed9d357195

SHA512
2204a937422255fa8ed46569b574418263146c9d720dd083b515f6359e55654151c053b75b520b215a5887088ede75a986f9cfdcf54f292aa4ebd607d6856146

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe

Filesize
461KB

MD5
6a1f671f062b1b12bb1537fdc2643478

SHA1
f93478c8247dc2129ea16f505baf740eb878774e

SHA256
a93f03b915e4fafa9557405e2f81c7eee9ccd446aef2e43a386e0eaf20b00e3d

SHA512
7d2671a32cc6b11b8a546bbfb681da4f8abdcb0631937c0245f9b1045c90e7edd905f5e0a128a7026301bb55e43043f9658574b44242e54131318a3034998ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe

Filesize
462KB

MD5
844435578b3bbab0090382cbf37459ab

SHA1
63911850e689c88a10a7ea44f5eacf2061c0365c

SHA256
c8b7a32f735833f2f085e72e4e0e3944347db5a64a1ec02673bbc3f6f1be0131

SHA512
a2c46695094ef6e5c746c1f1fba242695027ec7d9ee97f3ea6e905d9798e14a5c03f24d248de4e13cf7153e008f6935976c7671efb2e29ab3acc5ed9db0cfa8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe

Filesize
462KB

MD5
578627f7401c4258e6ac8866fa9dbfbe

SHA1
e49840c7bc7ac5c5c6e0c8465aacfafc2998211f

SHA256
3b18095b5beb80c3c0e17c00e613d00fb39c63b7691cb13f243c9ffc6f54c28d

SHA512
5ccdbf94167af27cd76c9d9767ef951289cb6b5b8b2a8911ed821369f954f9a2d52e7d3b8a9bca2cb7da09490db9cabd18ecf9ea24a184f4396b8007262497d3

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe

Filesize
457KB

MD5
aceabdf8ee754db2a09d1468dc8cee4f

SHA1
91c8fbd54a301bd0f4e057417528ce53fefbd4b7

SHA256
22e931e0409dc9049c0098a373fcd1983e8756245db0e6bc10acc5f48ccec5db

SHA512
c0479fa590deccdb4a6fcdc65b5d4d7f9ee71631e287a47ca45e668865218568f9365be3f1ab1e2839326f89e9790b173a958ac438a57f06cd28f38f9f131d3d

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe

Filesize
457KB

MD5
823a45853a1bab8f89634ca01df37318

SHA1
c9e316116fdf45493cfe276fcdc59f53a4098e88

SHA256
1c5de3c02f7304c9aefc273322f9f2e0bdedeabddeee8e92be79927f5b717048

SHA512
4e74bd32146081a42f7dabad6a403b5b84881a65b04fc506a00c07e18125572951afe2001f250a0df2631969c8f47fe99c67df593f455d0f29d2dbb54158c80e

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe

Filesize
457KB

MD5
f16d49ef25b0a6ce54014fc985231786

SHA1
8d36caae9a21ce0e3913789ac520aad1ad668065

SHA256
063fa604fb38ea533ec691ba962add384b3d3ef3efe8ce588dcd697fe77e3b19

SHA512
7744057d53c171bffe4fa88ce318b1e03fa1fcc8372e6f8de417b6ab79d3cd9905aad0979e659ba0f9ae594cf047bfdd80322b3b5e9a725d750e017804e5c66c

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe

Filesize
459KB

MD5
c790bc605832bff0743d911ec1fb13a0

SHA1
2b5d18ac9b9d85e247baf1f5901ff53a85f814ea

SHA256
39e5ad79105c360d2392e367f9442d278ebdf15c6c1196f9aa881e1bd037e983

SHA512
417b0e635d52b8d8cbd2a5bd3c296939aa58aafd12a9fd32c78eec96c97962b18e3cf2d5098e3d6778f2b8f2599a772549be28d0560a3cf21fa00f6e7910fcc6

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe

Filesize
459KB

MD5
21f628aa3f619491b2775063bfbaaa87

SHA1
7da28dd0050c7459bfd48e72476f21b62fa2bf19

SHA256
f7dc34bcf2f3171fcbf63071fb72ccb09b714d35dda23a51f7aa25d24fb76f6e

SHA512
cea4ba43115872a35e9e7a11aa798fbf0ca0bc1237275925c4a4b9011cf6501e26cbc567397b37038ea5bb330ce7965d87c5da803916b20aa592e208520dd645

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe

Filesize
460KB

MD5
54594e8285bfab23ecb6bb7dd4c4d75d

SHA1
a2087fe9f6d5133bcbe006cb98e592bae5f78c77

SHA256
bd6c01c27c0a77ed4e58194ac7fdffa6e9bda407440f9e61ace600e9d2616b68

SHA512
37cb124d30c276af5db54a316fb9a720bcdc5fa4b296abf0232c4db44710b01478c48768b4e55072c50363062dadd116cf1b865e1772da33c838f10dda9db199

Download Submit
\??\c:\users\admin\appdata\local\temp\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe

Filesize
462KB

MD5
35af4be306f39c7b2fa31c6f8ab8dead

SHA1
6b5ed907d27be66b5a2b197c507c3c3b90de6b18

SHA256
0b702fec7a02bbaf529a1628a7790e34b121006048c1b0095af88dd9bdda8850

SHA512
d205df38cd60fcc9dcafcd312fbf0fa61f62cd87c521e01c33404d1a1e093bd7370f36b7330da8f123d97cb7ebb7212e81a1b17f89cb1e9d7bb15d1623c2a003

Download Submit
memory/616-75-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/656-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/656-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/800-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/912-54-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/912-44-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1040-198-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1088-238-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1224-212-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1224-222-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1416-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1416-138-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1488-115-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1488-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-159-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-167-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1836-41-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1836-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1840-207-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1840-209-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1920-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1920-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2024-248-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2024-236-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-189-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-180-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-106-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2920-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2920-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3308-179-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4004-278-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4268-90-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4268-95-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-40-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-27-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4516-260-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4516-274-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4628-264-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4628-276-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4688-117-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4760-82-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4768-252-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4768-249-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5000-158-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202f.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202h.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202t.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202y.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202l.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202p.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202b.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202e.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202s.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202w.exe\""	44af9ae588abcf0ed68b1d2d32558322b76eb3e4402880b4ad2e82c074e2e1bb_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads