cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Size

315KB
MD5

5077c1eb6b35261779cdce8c7fb82995
SHA1

e99ccfde3f1f6a189c21c29e80594f48c0745457
SHA256

cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf
SHA512

494ebe6ad6720dc49c4c2af24cef7bf886fb2be9b730555cf305b0f54a12cdecb748ec460942bd09ae8d567b87a873ddf95b863e4fa4f0a5ed0033c3b2e27f14
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIjyBrOd8l:WacxGfTMfQrjoziJJHIQZl

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
1856	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
448	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
1008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
2008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
2000	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
2160	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
2124	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
1144	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
2064	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
2192	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
1788	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
1856	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
1856	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
448	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
448	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
1008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
1008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
2008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
2008	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
2000	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
2000	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
2160	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
2160	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
2124	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
2124	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
1144	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
1144	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
2064	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
2064	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
2192	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
2192	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000a0000000122b8-5.dat	upx
behavioral1/memory/1512-21-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1632-14-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x00300000000143fd-31.dat	upx
behavioral1/memory/1512-30-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0008000000014594-38.dat	upx
behavioral1/memory/2516-45-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2652-47-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x00080000000146e6-56.dat	upx
behavioral1/memory/2652-61-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2680-63-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000700000001471d-78.dat	upx
behavioral1/memory/2536-79-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2680-77-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2536-94-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014726-92.dat	upx
behavioral1/memory/2184-109-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0007000000014857-107.dat	upx
behavioral1/memory/1336-116-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2512-128-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000800000001568c-127.dat	upx
behavioral1/files/0x0006000000015be6-134.dat	upx
behavioral1/memory/2512-141-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015ca6-151.dat	upx
behavioral1/memory/2344-158-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015cba-168.dat	upx
behavioral1/files/0x0006000000015cd5-192.dat	upx
behavioral1/memory/2888-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1036-189-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2344-173-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1240-156-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0031000000014454-198.dat	upx
behavioral1/memory/1336-125-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2928-208-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2888-206-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015ce1-214.dat	upx
behavioral1/memory/2820-223-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2928-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015ceb-230.dat	upx
behavioral1/memory/772-239-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2820-238-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000015d07-254.dat	upx
behavioral1/memory/772-253-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/448-272-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1856-266-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/448-279-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1008-290-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2008-291-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2008-302-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2000-303-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2160-320-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2000-314-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2160-326-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2124-337-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1144-343-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1144-349-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2064-360-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2192-366-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2192-372-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1788-374-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e7cb7e27ad2b7c93	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1512	1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	28
PID 1632 wrote to memory of 1512	1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	28
PID 1632 wrote to memory of 1512	1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	28
PID 1632 wrote to memory of 1512	1632	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	28
PID 1512 wrote to memory of 2516	1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	29
PID 1512 wrote to memory of 2516	1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	29
PID 1512 wrote to memory of 2516	1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	29
PID 1512 wrote to memory of 2516	1512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	29
PID 2516 wrote to memory of 2652	2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	30
PID 2516 wrote to memory of 2652	2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	30
PID 2516 wrote to memory of 2652	2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	30
PID 2516 wrote to memory of 2652	2516	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	30
PID 2652 wrote to memory of 2680	2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	31
PID 2652 wrote to memory of 2680	2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	31
PID 2652 wrote to memory of 2680	2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	31
PID 2652 wrote to memory of 2680	2652	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	31
PID 2680 wrote to memory of 2536	2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	32
PID 2680 wrote to memory of 2536	2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	32
PID 2680 wrote to memory of 2536	2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	32
PID 2680 wrote to memory of 2536	2680	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	32
PID 2536 wrote to memory of 2184	2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	33
PID 2536 wrote to memory of 2184	2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	33
PID 2536 wrote to memory of 2184	2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	33
PID 2536 wrote to memory of 2184	2536	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	33
PID 2184 wrote to memory of 1336	2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	34
PID 2184 wrote to memory of 1336	2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	34
PID 2184 wrote to memory of 1336	2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	34
PID 2184 wrote to memory of 1336	2184	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	34
PID 1336 wrote to memory of 2512	1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	35
PID 1336 wrote to memory of 2512	1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	35
PID 1336 wrote to memory of 2512	1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	35
PID 1336 wrote to memory of 2512	1336	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	35
PID 2512 wrote to memory of 1240	2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	36
PID 2512 wrote to memory of 1240	2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	36
PID 2512 wrote to memory of 1240	2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	36
PID 2512 wrote to memory of 1240	2512	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	36
PID 1240 wrote to memory of 2344	1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	37
PID 1240 wrote to memory of 2344	1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	37
PID 1240 wrote to memory of 2344	1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	37
PID 1240 wrote to memory of 2344	1240	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	37
PID 2344 wrote to memory of 1036	2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	38
PID 2344 wrote to memory of 1036	2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	38
PID 2344 wrote to memory of 1036	2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	38
PID 2344 wrote to memory of 1036	2344	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	38
PID 1036 wrote to memory of 2888	1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	39
PID 1036 wrote to memory of 2888	1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	39
PID 1036 wrote to memory of 2888	1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	39
PID 1036 wrote to memory of 2888	1036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	39
PID 2888 wrote to memory of 2928	2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	40
PID 2888 wrote to memory of 2928	2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	40
PID 2888 wrote to memory of 2928	2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	40
PID 2888 wrote to memory of 2928	2888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	40
PID 2928 wrote to memory of 2820	2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	41
PID 2928 wrote to memory of 2820	2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	41
PID 2928 wrote to memory of 2820	2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	41
PID 2928 wrote to memory of 2820	2928	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	41
PID 2820 wrote to memory of 772	2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	42
PID 2820 wrote to memory of 772	2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	42
PID 2820 wrote to memory of 772	2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	42
PID 2820 wrote to memory of 772	2820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	42
PID 772 wrote to memory of 1856	772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	43
PID 772 wrote to memory of 1856	772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	43
PID 772 wrote to memory of 1856	772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	43
PID 772 wrote to memory of 1856	772	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
"C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
  c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
    c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
      c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1856
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:448
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1008
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2008
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2000
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2160
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2124
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1144
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2064
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2192
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe

Filesize
315KB

MD5
05c1297e6ec47823ff46f71fe3c78de2

SHA1
922868fe1c1add606eef863d5f961120f6fbc714

SHA256
cd115a301feac84f9b33973f6c053e9b7b96524b89e99d6c1905d6c07c2abc74

SHA512
740c5210fb26902a167e7cf3b47e171474c81d2ced87f013a986850c6851e27d3ab2f5db986cf126b092ee1db65d296b26022b3a6e32da94ffcbf2f3e36a10cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe

Filesize
315KB

MD5
5a901f2d9a1ab5c930ec2590b5cd0274

SHA1
2a241ffbd9e44ba8efaeccec396a6d9462628e88

SHA256
1a65e38b0a420d832adc9b5c7a5c1327063f3df4e2090709d042834251abc440

SHA512
1c109a658801144905f8b73a2e0e89fc5503c045721d604f268f7621635edb186bf7509a183ff82393a5cef9b09c4b90d92a0a05ad11e407b68c1dc160b6ae2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe

Filesize
316KB

MD5
ab2fb2a10fb30f1f154cdfe438643961

SHA1
11a56e12d8bfbb9a305490c491ab95cb8249ad4d

SHA256
da9e7ad7e425a2d5250a550f5eaa6c811702aa5c9eae4795fff98d81312ea81d

SHA512
643ba8a338037897e2140c6c579e3cfc656cc8a8827d4027a16db3d182e3d8d10afcb79b03d591f6eecfa626f359b26241cf11df80e77143f9bd4b2ea7eb7513

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe

Filesize
316KB

MD5
3353ab2435d9a9c52242fdde1987f07f

SHA1
37425e8bb7f15cbce5c0160652d2dbb9a55b110e

SHA256
da13864cc79034f3172e9077ba80415630c926595fa4a131af7a50203b3467a0

SHA512
21d47ec5b22c0000d2915525955f23016aa7b96cf73a6677402a81958a908b392ad8ae55b2c334c5827183fd088bafa19e6f7622dfcaeaafc05f977b0275b5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe

Filesize
316KB

MD5
462cbd14916c6a340428c3468c559b19

SHA1
fa394f5016815f3076f2bdf20672350d63889807

SHA256
a052803190184a90fc0b8b13c0c84a3c93a57c7193df152a3bba2b5b21024e18

SHA512
72121722728d7472aa9c94431582780e4b50199cb2ce0349e95840141543fb531a2d6625cef152c5dac8197ad609e20231d4b8efcfdbd832eda3538749569ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe

Filesize
318KB

MD5
a5f81802bcfecbec9e988e2d5aca67f8

SHA1
420bbf35fb90bdf694a232a4155b006236c2f81c

SHA256
efe4e2c073f3bbb5e50621cb1545f36c054f946d64b450de16fe1c688be3fdbc

SHA512
a1dc84d8c089b3075f0241629037040a343afae9aeb0fa242ce4abc2b7fb44da61ac0bb472cbd81afa0562e5842a2f5a0af0fa65ffaad34d3a06bf003883906a

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe

Filesize
317KB

MD5
6d947d465d22ddfe2dbb32d00b521ffd

SHA1
4b6110b5e547d231762eb07955612958c8d400cc

SHA256
0c5f8d7f7de467357a1de15868e93c32886ce373b0b3d0e6ff21ea733d88c0a8

SHA512
48cba48e637996c74fbc21852e3915397fb196d8c04f542c4338961fd34328de8275f566692b169d94e31ee67490d130d1f5d49369b0281e56bce0790fe3c111

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe

Filesize
318KB

MD5
1b1ffeee773e6407f66c9532421dd583

SHA1
46cb5c1112d8aae80c39933fa821202dd71d4855

SHA256
549742a7814a692d90bf4c0094a5a27044d367fe0b076e46cf3b86341affd92a

SHA512
a13f593d2eb6b7ab57abfadb4aeb0b067bd50b3b3cf0d47f423fb303ca9086ec302695db57bd3f10088c0406c582f42d5e1d5901b5294fa782de91963e7c4574

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe

Filesize
315KB

MD5
8b66b0d82d0ecc327be56f5ab8f36a90

SHA1
cda4910a502ea1c60f629ee8d39ac1c522f04a43

SHA256
0dc73fb529f549399c3af5a9a14eaa46e4c38af8988251ead92287c6e60a2040

SHA512
603cf248b363a5a8bdcb6ec1dda01d607aa1cee4675b37bdaa4b87865d4367f2fda40ccd5078e9063f4f5c4452ff0dbd25df728c32f7ac6cb5eeade57edc95aa

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe

Filesize
316KB

MD5
1ffeab1583324503b63dc34967ecc367

SHA1
8ed39e91bab481b71c847fdb655c01134a2a709b

SHA256
1926547a9de62ae5d92e2c737578a47358ac324aa2acded7b17dbbde900804a4

SHA512
6b2ec84c03d00da5893e8dcceefc3d1dba86e48d0ce5bdda9a72bf3558f5b673a5d26921fcc9659d575e2139f83858db932bc4cb7189e88887492bcaa6133048

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe

Filesize
317KB

MD5
b1425b3f5e783ebf5e614d1b89dc5df0

SHA1
9ab83facf1409062ca2f9a5d39f90d604fc36a28

SHA256
c6b3c410e480bb756f731069e62cc25812b3b7ddab99dcc510eb4f076cba1299

SHA512
29b7b632795118f54f6d2266500e23914bc59c55b85e3b92871a75420beec275faf2d63004d47d1647954600719c1f8eb6514c651b90cff0e71b8a4b82a7e6d5

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe

Filesize
317KB

MD5
96d2dadeb103cee19bc3c76eea636bcb

SHA1
30dce034b99591c6bf4208c09cee2e46c6e12dc8

SHA256
76fa45ab59b3698742e236cfc14b74009a4fffb1d4cf00efeb2fb947c4364530

SHA512
12c06981cfac5c7e77fa8d1b66ca86c570b7d6f0e96140a90593b6d25a67af92b89c394e63e948801efa0f354a5d17ce070ba13363a95122ba9188cf262008af

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe

Filesize
317KB

MD5
717534e1b0120742aa7446be1d9aab83

SHA1
2b3d94231b2f31522c42c89e6e80e56968297746

SHA256
d247b0509df63039333883cdc0d8e55b923947734bf6f357c90b8e2a4a1178ef

SHA512
a8006113b4a459a8bef0c1896dbbd0111ced2a82cdcbbfa36958dcb906f76b54fe7eb476864f747043b85eb7dd0b986b93537fcbb1c7e7e4911c32ee53eafd88

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe

Filesize
318KB

MD5
3e8270680dfa787d97aaa2d63535c9d6

SHA1
3b3d23983ff71cb940943211a57c0052b0360e1e

SHA256
3db863494f59858de035a69e9b93dee2aa2c61b54b60823b8b03317e721cb413

SHA512
92ae429d65a3d000b0bdd01f8f1d71efa41abd7a0b89f1cf901184554134153f2954af0c6ed331614d1e3b8c08623ec6f93bc84cae8f046ff05a5caa6f79a1c3

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe

Filesize
318KB

MD5
897397480cf9b8ed74c4be9cac3310b6

SHA1
6df374b77cab5b60e07cc803b342c7a26282ff90

SHA256
0f88b347811549b79b4d25aff235047872d3ac60a035a4c83d94ae68b72a7104

SHA512
983a57f330365b8304f767cef82373b2bbd1c52329b118432a8d98e2b31b9dfdc1196b1eb7ccc135424fc291c0debaf88b8ff2c07404fd79685abdb06de502b5

Download Submit
\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe

Filesize
318KB

MD5
849abd010f5637026f7f2345ffa82477

SHA1
1736969c153598e6db4f5d7a4088fafd91f763b5

SHA256
011028fea253a93de2c03e1e41de603077105b3a96cdc9b1c507dc6a8703d7a8

SHA512
c5768abc126aa6028a3b61412a4297fa9e0ea20fcd4b1e57b1d0e89c8ead6748b5fe3d4553aacec0f065e84015647874387e5eb63cdaf341cd3d0c27640b52ea

Download Submit
memory/448-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/448-274-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/448-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/772-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/772-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1008-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1036-183-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1036-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1144-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1144-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1240-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1336-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1336-119-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1336-125-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-30-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-24-0x0000000000350000-0x000000000038A000-memory.dmp

Filesize
232KB

Download
memory/1512-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1788-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2000-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2000-314-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-302-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2064-360-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2124-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2160-320-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2184-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-366-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2344-167-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2344-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2344-173-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2512-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2512-141-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2516-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-93-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2536-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2652-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2680-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2820-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2888-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2928-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads