d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Size

278KB
MD5

661c89dc751168d347f0cb11fd4a8709
SHA1

64585e4237a94cc77910c844f2995edd75c121a0
SHA256

d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458
SHA512

55d355321db71ef4e99cc7ea8417029b44c36cd473929f6c47ff7928037507180f17f79be48353fca088410e48a1f08f80fba1deb058eeea01a021cbca857de7
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sX1zQI:ZtXMzqrllX7Xw6EI

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
772	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
1056	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
4684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
3608	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
3368	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
2780	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
4688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
4000	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
5044	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
1936	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
4036	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
1312	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
4604	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
4788	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
3360	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
2436	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
3132	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
4228	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
3268	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
2284	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
2644	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
4048	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
4548	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
4456	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
4912	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
4488	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1548-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000c000000023b83-4.dat	upx
behavioral2/memory/772-15-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1548-9-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1056-19-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/772-20-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1056-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4684-34-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4684-40-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3608-39-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3608-49-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3368-58-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2780-59-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4688-67-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2780-69-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4688-77-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-85.dat	upx
behavioral2/memory/4000-87-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5044-88-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5044-95-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1936-105-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4036-115-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1312-123-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4788-139-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4788-143-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3360-144-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3360-154-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2436-153-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4604-134-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2436-162-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3132-168-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3132-172-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4228-180-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3268-183-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-190.dat	upx
behavioral2/memory/3268-193-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2284-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2284-200-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2644-211-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4048-212-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4048-221-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4548-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4912-241-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4912-251-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4488-250-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4548-238-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4456-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4488-252-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 85d7d0e64315e3e3	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 772	1548	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	86
PID 1548 wrote to memory of 772	1548	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	86
PID 1548 wrote to memory of 772	1548	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe	86
PID 772 wrote to memory of 1056	772	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	87
PID 772 wrote to memory of 1056	772	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	87
PID 772 wrote to memory of 1056	772	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe	87
PID 1056 wrote to memory of 4684	1056	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	88
PID 1056 wrote to memory of 4684	1056	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	88
PID 1056 wrote to memory of 4684	1056	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe	88
PID 4684 wrote to memory of 3608	4684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	89
PID 4684 wrote to memory of 3608	4684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	89
PID 4684 wrote to memory of 3608	4684	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe	89
PID 3608 wrote to memory of 3368	3608	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	90
PID 3608 wrote to memory of 3368	3608	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	90
PID 3608 wrote to memory of 3368	3608	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe	90
PID 3368 wrote to memory of 2780	3368	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	91
PID 3368 wrote to memory of 2780	3368	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	91
PID 3368 wrote to memory of 2780	3368	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe	91
PID 2780 wrote to memory of 4688	2780	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	92
PID 2780 wrote to memory of 4688	2780	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	92
PID 2780 wrote to memory of 4688	2780	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe	92
PID 4688 wrote to memory of 4000	4688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	93
PID 4688 wrote to memory of 4000	4688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	93
PID 4688 wrote to memory of 4000	4688	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe	93
PID 4000 wrote to memory of 5044	4000	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	94
PID 4000 wrote to memory of 5044	4000	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	94
PID 4000 wrote to memory of 5044	4000	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe	94
PID 5044 wrote to memory of 1936	5044	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	95
PID 5044 wrote to memory of 1936	5044	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	95
PID 5044 wrote to memory of 1936	5044	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe	95
PID 1936 wrote to memory of 4036	1936	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	96
PID 1936 wrote to memory of 4036	1936	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	96
PID 1936 wrote to memory of 4036	1936	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe	96
PID 4036 wrote to memory of 1312	4036	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	98
PID 4036 wrote to memory of 1312	4036	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	98
PID 4036 wrote to memory of 1312	4036	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe	98
PID 1312 wrote to memory of 4604	1312	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	99
PID 1312 wrote to memory of 4604	1312	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	99
PID 1312 wrote to memory of 4604	1312	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe	99
PID 4604 wrote to memory of 4788	4604	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	100
PID 4604 wrote to memory of 4788	4604	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	100
PID 4604 wrote to memory of 4788	4604	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe	100
PID 4788 wrote to memory of 3360	4788	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	101
PID 4788 wrote to memory of 3360	4788	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	101
PID 4788 wrote to memory of 3360	4788	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe	101
PID 3360 wrote to memory of 2436	3360	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	102
PID 3360 wrote to memory of 2436	3360	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	102
PID 3360 wrote to memory of 2436	3360	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe	102
PID 2436 wrote to memory of 3132	2436	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe	104
PID 2436 wrote to memory of 3132	2436	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe	104
PID 2436 wrote to memory of 3132	2436	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe	104
PID 3132 wrote to memory of 4228	3132	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe	105
PID 3132 wrote to memory of 4228	3132	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe	105
PID 3132 wrote to memory of 4228	3132	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe	105
PID 4228 wrote to memory of 3268	4228	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe	107
PID 4228 wrote to memory of 3268	4228	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe	107
PID 4228 wrote to memory of 3268	4228	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe	107
PID 3268 wrote to memory of 2284	3268	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe	108
PID 3268 wrote to memory of 2284	3268	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe	108
PID 3268 wrote to memory of 2284	3268	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe	108
PID 2284 wrote to memory of 2644	2284	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe	109
PID 2284 wrote to memory of 2644	2284	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe	109
PID 2284 wrote to memory of 2644	2284	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe	109
PID 2644 wrote to memory of 4048	2644	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe	110

C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548
- \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
  c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:772
- - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
    c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
      c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4684
    - - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4048
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4548
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4456
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4912
        
        \??\c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
        
        c:\users\admin\appdata\local\temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe

Filesize
278KB

MD5
849c059c8ffd2685250dbda6c4aa8c9a

SHA1
85887c321996dce2c2b1fe8444a52de1d96b87c9

SHA256
d3f55ef6375290bb1534f11c3a409f4bb7880b33687ab09080b3888082edf49c

SHA512
cbcaa146f7c4f376f54e1d65a6bbfe9532ce49ca60484823185253826fb58e8fa38ff1aa0a0a5c8d38ddbe97e0c1cb1541e719ebe52aadd5c2203716dd6823fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe

Filesize
278KB

MD5
852b83ff3d06a817f58ce551917ce38b

SHA1
f7514e125ebe40ae29707cedae18c19209a30aaa

SHA256
2e0a8fc2152ff929afd508ccf89243b6da7114dd89476cc8e2d90e60214b0d17

SHA512
b5a298de584a7bad41aeddf66bd08c09ed444ce411a20ca319af3a61a1fdde85efd7241f3cd06716356c74aa35d65bcaed43259348f1aee6172b28f3065f780d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe

Filesize
278KB

MD5
4d168765b9e616cb96a5fda89968c0cf

SHA1
f27cd051dbcc9d04ece9d95286ca0fc26a69e7c2

SHA256
ebbc293da003e69db1cfbb1764f4cfc0f5db3833f6754880227c4856b3037d0a

SHA512
b6d9cd17bfbfe4aa09eda206f5085ee1ecda41db1af9e5638974e918aa18870cdf3427fe70d8ef2ce4d07c00da82c21a0038d4d5dc8650b1716b5c0ad119581e

Download Submit
memory/772-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/772-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1056-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1312-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2436-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2436-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2644-211-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2780-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3132-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3132-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3268-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3268-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3360-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3368-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3608-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3608-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4000-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4036-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4048-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4048-212-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4456-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4488-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4488-252-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4604-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4688-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4788-139-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4912-241-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4912-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5044-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5044-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202k.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202o.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202q.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202n.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202y.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202c.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202f.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202i.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202t.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202a.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202v.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202x.exe\""	d7e1312f8f4c12de2d2527796d12fcf9e68baed8ca446b388946d664e8ff3458_3202w.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads