d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Size

278KB
MD5

661c89dc751168d347f0cb11fd4a8709
SHA1

64585e4237a94cc77910c844f2995edd75c121a0
SHA256

d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458
SHA512

55d355321db71ef4e99cc7ea8417029b44c36cd473929f6c47ff7928037507180f17f79be48353fca088410e48a1f08f80fba1deb058eeea01a021cbca857de7
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sX1zQI:ZtXMzqrllX7Xw6EI

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
328	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
2884	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
2976	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
1472	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
1684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
956	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
1900	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
2960	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
1440	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
2240	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
1536	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
328	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
328	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
2884	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
2884	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
2976	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
2976	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
1472	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
1472	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
1684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
1684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
956	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
956	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
1900	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
1900	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
2960	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
2960	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
1440	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
1440	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
2240	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
2240	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000e000000012335-5.dat	upx
behavioral1/memory/3048-14-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2204-15-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/3048-28-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2672-42-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2688-56-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2444-72-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2444-85-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2288-71-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2124-100-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1564-101-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1564-115-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1248-131-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2336-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2336-146-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1508-147-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000013309-154.dat	upx
behavioral1/memory/1508-155-0x0000000000250000-0x000000000028A000-memory.dmp	upx
behavioral1/memory/1508-162-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1756-169-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1756-176-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2016-193-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1616-194-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1616-207-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/792-229-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/3028-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/792-236-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/328-249-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2884-250-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2884-260-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2976-261-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2976-271-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1472-272-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1472-282-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1684-283-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1684-293-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/956-294-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/792-306-0x0000000000440000-0x000000000047A000-memory.dmp	upx
behavioral1/memory/956-305-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1900-316-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2960-322-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2960-327-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1440-337-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2240-338-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2240-348-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1536-349-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c515cb690e5875db	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3048	2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	28
PID 2204 wrote to memory of 3048	2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	28
PID 2204 wrote to memory of 3048	2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	28
PID 2204 wrote to memory of 3048	2204	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	28
PID 3048 wrote to memory of 2672	3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	29
PID 3048 wrote to memory of 2672	3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	29
PID 3048 wrote to memory of 2672	3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	29
PID 3048 wrote to memory of 2672	3048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	29
PID 2672 wrote to memory of 2688	2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	30
PID 2672 wrote to memory of 2688	2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	30
PID 2672 wrote to memory of 2688	2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	30
PID 2672 wrote to memory of 2688	2672	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	30
PID 2688 wrote to memory of 2288	2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	31
PID 2688 wrote to memory of 2288	2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	31
PID 2688 wrote to memory of 2288	2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	31
PID 2688 wrote to memory of 2288	2688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	31
PID 2288 wrote to memory of 2444	2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	32
PID 2288 wrote to memory of 2444	2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	32
PID 2288 wrote to memory of 2444	2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	32
PID 2288 wrote to memory of 2444	2288	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	32
PID 2444 wrote to memory of 2124	2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	33
PID 2444 wrote to memory of 2124	2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	33
PID 2444 wrote to memory of 2124	2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	33
PID 2444 wrote to memory of 2124	2444	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	33
PID 2124 wrote to memory of 1564	2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	34
PID 2124 wrote to memory of 1564	2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	34
PID 2124 wrote to memory of 1564	2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	34
PID 2124 wrote to memory of 1564	2124	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	34
PID 1564 wrote to memory of 1248	1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	35
PID 1564 wrote to memory of 1248	1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	35
PID 1564 wrote to memory of 1248	1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	35
PID 1564 wrote to memory of 1248	1564	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	35
PID 1248 wrote to memory of 2336	1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	36
PID 1248 wrote to memory of 2336	1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	36
PID 1248 wrote to memory of 2336	1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	36
PID 1248 wrote to memory of 2336	1248	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	36
PID 2336 wrote to memory of 1508	2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	37
PID 2336 wrote to memory of 1508	2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	37
PID 2336 wrote to memory of 1508	2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	37
PID 2336 wrote to memory of 1508	2336	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	37
PID 1508 wrote to memory of 1756	1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	38
PID 1508 wrote to memory of 1756	1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	38
PID 1508 wrote to memory of 1756	1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	38
PID 1508 wrote to memory of 1756	1508	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	38
PID 1756 wrote to memory of 2016	1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	39
PID 1756 wrote to memory of 2016	1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	39
PID 1756 wrote to memory of 2016	1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	39
PID 1756 wrote to memory of 2016	1756	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	39
PID 2016 wrote to memory of 1616	2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	40
PID 2016 wrote to memory of 1616	2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	40
PID 2016 wrote to memory of 1616	2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	40
PID 2016 wrote to memory of 1616	2016	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	40
PID 1616 wrote to memory of 3028	1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	41
PID 1616 wrote to memory of 3028	1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	41
PID 1616 wrote to memory of 3028	1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	41
PID 1616 wrote to memory of 3028	1616	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	41
PID 3028 wrote to memory of 792	3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	42
PID 3028 wrote to memory of 792	3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	42
PID 3028 wrote to memory of 792	3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	42
PID 3028 wrote to memory of 792	3028	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	42
PID 792 wrote to memory of 328	792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	43
PID 792 wrote to memory of 328	792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	43
PID 792 wrote to memory of 328	792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	43
PID 792 wrote to memory of 328	792	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
  c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3048
- - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
    c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
      c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2688
    - - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:328
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2884
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2976
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1472
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1684
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:956
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1900
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2960
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1440
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2240
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe

Filesize
278KB

MD5
1749886525e2e1550f1aedef99e18157

SHA1
fa3fc53931cab89ce733a842645a2b930987cfab

SHA256
76efcc5846dc86d99f7b467c89359c1680f28b037468f8eddb694973dd409c48

SHA512
5800f4b8c2c8dc152975fe77da6b164641a26cfd11faa5850c2fcd48480e93c3a92775af624072292e8d5a1ceb8e986e0b3dccb153979e1582285faa4b9d608d

Download Submit
\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe

Filesize
278KB

MD5
849c059c8ffd2685250dbda6c4aa8c9a

SHA1
85887c321996dce2c2b1fe8444a52de1d96b87c9

SHA256
d3f55ef6375290bb1534f11c3a409f4bb7880b33687ab09080b3888082edf49c

SHA512
cbcaa146f7c4f376f54e1d65a6bbfe9532ce49ca60484823185253826fb58e8fa38ff1aa0a0a5c8d38ddbe97e0c1cb1541e719ebe52aadd5c2203716dd6823fe

Download Submit
memory/328-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/792-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/792-237-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/792-236-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/792-306-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/956-301-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/956-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/956-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-129-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1440-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1472-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1472-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-147-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1508-155-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1536-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-110-0x0000000000390000-0x00000000003CA000-memory.dmp

Filesize
232KB

Download
memory/1564-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1616-194-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1616-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-293-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1900-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2016-191-0x00000000004D0000-0x000000000050A000-memory.dmp

Filesize
232KB

Download
memory/2016-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2016-190-0x00000000004D0000-0x000000000050A000-memory.dmp

Filesize
232KB

Download
memory/2124-100-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-11-0x00000000003C0000-0x00000000003FA000-memory.dmp

Filesize
232KB

Download
memory/2204-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2240-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2288-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2672-42-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2884-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2960-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2960-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3028-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3048-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads