cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Size

315KB
MD5

5077c1eb6b35261779cdce8c7fb82995
SHA1

e99ccfde3f1f6a189c21c29e80594f48c0745457
SHA256

cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf
SHA512

494ebe6ad6720dc49c4c2af24cef7bf886fb2be9b730555cf305b0f54a12cdecb748ec460942bd09ae8d567b87a873ddf95b863e4fa4f0a5ed0033c3b2e27f14
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIjyBrOd8l:WacxGfTMfQrjoziJJHIQZl

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4260	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
3596	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
1760	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
592	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
2768	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
1436	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
1920	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
4808	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
2452	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
2520	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
5036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
1068	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
524	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
4040	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
2116	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
4708	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
4152	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
216	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
3888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
684	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
3668	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
4424	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
1108	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
1248	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
4820	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
4368	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3056-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000c000000023b52-4.dat	upx
behavioral2/memory/3056-8-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000c000000023b9d-19.dat	upx
behavioral2/memory/4260-18-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-27.dat	upx
behavioral2/memory/3596-28-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-36.dat	upx
behavioral2/memory/1760-39-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/592-45-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-47.dat	upx
behavioral2/memory/592-51-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2768-49-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-58.dat	upx
behavioral2/memory/2768-61-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1436-67-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb5-69.dat	upx
behavioral2/memory/1436-77-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0031000000023bb6-79.dat	upx
behavioral2/memory/1920-81-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0031000000023bb7-90.dat	upx
behavioral2/memory/4808-91-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0031000000023bb8-99.dat	upx
behavioral2/memory/2452-101-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bb9-111.dat	upx
behavioral2/memory/2520-110-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5036-112-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-119.dat	upx
behavioral2/memory/5036-121-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-129.dat	upx
behavioral2/memory/524-138-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1068-131-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000c000000023b9e-140.dat	upx
behavioral2/memory/2116-160-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bbe-163.dat	upx
behavioral2/memory/2116-171-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bbf-174.dat	upx
behavioral2/files/0x000a000000023bc0-185.dat	upx
behavioral2/files/0x000a000000023bc1-193.dat	upx
behavioral2/memory/4152-200-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4708-183-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4152-180-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4708-169-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4040-159-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bbd-152.dat	upx
behavioral2/memory/4040-149-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bc3-217.dat	upx
behavioral2/files/0x000a000000023bc4-225.dat	upx
behavioral2/memory/4424-232-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3668-231-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/684-215-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bc2-207.dat	upx
behavioral2/memory/216-205-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3888-203-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bc5-235.dat	upx
behavioral2/memory/4424-238-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/524-143-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0002000000022e0c-245.dat	upx
behavioral2/memory/1108-247-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0002000000022e09-255.dat	upx
behavioral2/memory/1248-257-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4820-264-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023bc6-268.dat	upx
behavioral2/memory/4820-267-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 18e132246310e718	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 4260	3056	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	83
PID 3056 wrote to memory of 4260	3056	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	83
PID 3056 wrote to memory of 4260	3056	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe	83
PID 4260 wrote to memory of 3596	4260	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	84
PID 4260 wrote to memory of 3596	4260	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	84
PID 4260 wrote to memory of 3596	4260	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe	84
PID 3596 wrote to memory of 1760	3596	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	85
PID 3596 wrote to memory of 1760	3596	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	85
PID 3596 wrote to memory of 1760	3596	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe	85
PID 1760 wrote to memory of 592	1760	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	86
PID 1760 wrote to memory of 592	1760	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	86
PID 1760 wrote to memory of 592	1760	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe	86
PID 592 wrote to memory of 2768	592	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	87
PID 592 wrote to memory of 2768	592	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	87
PID 592 wrote to memory of 2768	592	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe	87
PID 2768 wrote to memory of 1436	2768	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	88
PID 2768 wrote to memory of 1436	2768	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	88
PID 2768 wrote to memory of 1436	2768	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe	88
PID 1436 wrote to memory of 1920	1436	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	89
PID 1436 wrote to memory of 1920	1436	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	89
PID 1436 wrote to memory of 1920	1436	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe	89
PID 1920 wrote to memory of 4808	1920	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	91
PID 1920 wrote to memory of 4808	1920	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	91
PID 1920 wrote to memory of 4808	1920	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe	91
PID 4808 wrote to memory of 2452	4808	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	92
PID 4808 wrote to memory of 2452	4808	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	92
PID 4808 wrote to memory of 2452	4808	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe	92
PID 2452 wrote to memory of 2520	2452	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	93
PID 2452 wrote to memory of 2520	2452	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	93
PID 2452 wrote to memory of 2520	2452	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe	93
PID 2520 wrote to memory of 5036	2520	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	94
PID 2520 wrote to memory of 5036	2520	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	94
PID 2520 wrote to memory of 5036	2520	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe	94
PID 5036 wrote to memory of 1068	5036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	96
PID 5036 wrote to memory of 1068	5036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	96
PID 5036 wrote to memory of 1068	5036	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe	96
PID 1068 wrote to memory of 524	1068	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	97
PID 1068 wrote to memory of 524	1068	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	97
PID 1068 wrote to memory of 524	1068	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe	97
PID 524 wrote to memory of 4040	524	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	98
PID 524 wrote to memory of 4040	524	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	98
PID 524 wrote to memory of 4040	524	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe	98
PID 4040 wrote to memory of 2116	4040	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	99
PID 4040 wrote to memory of 2116	4040	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	99
PID 4040 wrote to memory of 2116	4040	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe	99
PID 2116 wrote to memory of 4708	2116	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	100
PID 2116 wrote to memory of 4708	2116	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	100
PID 2116 wrote to memory of 4708	2116	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe	100
PID 4708 wrote to memory of 4152	4708	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe	101
PID 4708 wrote to memory of 4152	4708	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe	101
PID 4708 wrote to memory of 4152	4708	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe	101
PID 4152 wrote to memory of 216	4152	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe	102
PID 4152 wrote to memory of 216	4152	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe	102
PID 4152 wrote to memory of 216	4152	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe	102
PID 216 wrote to memory of 3888	216	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe	103
PID 216 wrote to memory of 3888	216	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe	103
PID 216 wrote to memory of 3888	216	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe	103
PID 3888 wrote to memory of 684	3888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe	104
PID 3888 wrote to memory of 684	3888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe	104
PID 3888 wrote to memory of 684	3888	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe	104
PID 684 wrote to memory of 3668	684	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe	105
PID 684 wrote to memory of 3668	684	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe	105
PID 684 wrote to memory of 3668	684	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe	105
PID 3668 wrote to memory of 4424	3668	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe	106

C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
"C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
  c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4260
- - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
    c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
      c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1760
    - - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
      - \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4424
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1108
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1248
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4820
        
        \??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
        
        c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe

Filesize
315KB

MD5
05c1297e6ec47823ff46f71fe3c78de2

SHA1
922868fe1c1add606eef863d5f961120f6fbc714

SHA256
cd115a301feac84f9b33973f6c053e9b7b96524b89e99d6c1905d6c07c2abc74

SHA512
740c5210fb26902a167e7cf3b47e171474c81d2ced87f013a986850c6851e27d3ab2f5db986cf126b092ee1db65d296b26022b3a6e32da94ffcbf2f3e36a10cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe

Filesize
315KB

MD5
5a901f2d9a1ab5c930ec2590b5cd0274

SHA1
2a241ffbd9e44ba8efaeccec396a6d9462628e88

SHA256
1a65e38b0a420d832adc9b5c7a5c1327063f3df4e2090709d042834251abc440

SHA512
1c109a658801144905f8b73a2e0e89fc5503c045721d604f268f7621635edb186bf7509a183ff82393a5cef9b09c4b90d92a0a05ad11e407b68c1dc160b6ae2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe

Filesize
315KB

MD5
8b66b0d82d0ecc327be56f5ab8f36a90

SHA1
cda4910a502ea1c60f629ee8d39ac1c522f04a43

SHA256
0dc73fb529f549399c3af5a9a14eaa46e4c38af8988251ead92287c6e60a2040

SHA512
603cf248b363a5a8bdcb6ec1dda01d607aa1cee4675b37bdaa4b87865d4367f2fda40ccd5078e9063f4f5c4452ff0dbd25df728c32f7ac6cb5eeade57edc95aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe

Filesize
316KB

MD5
1ffeab1583324503b63dc34967ecc367

SHA1
8ed39e91bab481b71c847fdb655c01134a2a709b

SHA256
1926547a9de62ae5d92e2c737578a47358ac324aa2acded7b17dbbde900804a4

SHA512
6b2ec84c03d00da5893e8dcceefc3d1dba86e48d0ce5bdda9a72bf3558f5b673a5d26921fcc9659d575e2139f83858db932bc4cb7189e88887492bcaa6133048

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe

Filesize
316KB

MD5
ab2fb2a10fb30f1f154cdfe438643961

SHA1
11a56e12d8bfbb9a305490c491ab95cb8249ad4d

SHA256
da9e7ad7e425a2d5250a550f5eaa6c811702aa5c9eae4795fff98d81312ea81d

SHA512
643ba8a338037897e2140c6c579e3cfc656cc8a8827d4027a16db3d182e3d8d10afcb79b03d591f6eecfa626f359b26241cf11df80e77143f9bd4b2ea7eb7513

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe

Filesize
316KB

MD5
3353ab2435d9a9c52242fdde1987f07f

SHA1
37425e8bb7f15cbce5c0160652d2dbb9a55b110e

SHA256
da13864cc79034f3172e9077ba80415630c926595fa4a131af7a50203b3467a0

SHA512
21d47ec5b22c0000d2915525955f23016aa7b96cf73a6677402a81958a908b392ad8ae55b2c334c5827183fd088bafa19e6f7622dfcaeaafc05f977b0275b5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe

Filesize
316KB

MD5
b38a3ddbf4291ebd5c775793d0764181

SHA1
c82d86380ea0c722ac25a9d09030be73b63d8b37

SHA256
03cdc4ae5062739db555a88fd494d15c974cda1db593ba306afda4523370a628

SHA512
bc532f9ed8e1cdef6c58861fd113ce60c7f99af4ff7b9cf5f028c5be4b02b721f3199f18aca44f157751c09925ed58c5ce1001afad26fe89c0abc113cf5491f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe

Filesize
317KB

MD5
fe6700a3c400ef906e3f4141602b1aaf

SHA1
66a4b03c69b2c38604e7310fb7c4997fcdd6b6aa

SHA256
b829c45542c3e24bb7e7cfd206b7b2e6acac651fd9d7981113836c417a8110ca

SHA512
f5ba4290ac79583ee9fcbb057b9e2743a8ffd7d0b16e4d63dabb7e8318b6a29715c492f3cb7fdac3e24899ebc9ee96c76c12280edb6873d73f822d7ad402a5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe

Filesize
317KB

MD5
1d7ae7d60b0646d9c656f0d599003a35

SHA1
79616c664e961e4f3563f03efc5fb79df99c3f0d

SHA256
b31afd21c040389a9efe1d194a2a0f88a27c396db9e4ec33ab3406ad224b80d1

SHA512
c0eff4849a404fe119ac29b5ec7654ecf8c3f2ec0a589c64db8fcc36403c73d3183574f22861c6b00b2f53f2fd0b391e3299e9e52a0ccf3032272cb2c390e105

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe

Filesize
317KB

MD5
217f69d8a997481c7e2aa69369da9d84

SHA1
7cbce420af7f7ba373177fb8b4dafb9b22fbf432

SHA256
b8b99cc4bd703eb85e28162d2d39af8c9e5137835267b6f9b448dcecda9e5a4e

SHA512
d035edd9e5d627f663a9fca438318bb54f3b2ada25a12c30a0e62b39ab1999918d163f85b1a249e227ac9481b1d97f63ab5ce3a81a83766c18738c60de8f1227

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe

Filesize
318KB

MD5
5dce8680edb5eef54183799ce9b665d4

SHA1
fa0d3356f04b5d5b1ee53f2882cae2d0d80bfa39

SHA256
ebe567cf013480df2a3bddfa345e36116814ff4cc809c67322de380c1ea18337

SHA512
19cde93d59553ccbf14e08832205c0c6b41a6f62f7811364eb3226d1d5eb8e66c0f9d232894a86120ec66992666587dd9ab2ff615bd910ca23da2b1044741287

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe

Filesize
318KB

MD5
bd52deb18fe9a5af0474c1976defd048

SHA1
62832e436e283186dd93027ce09d8db393a5c800

SHA256
f1146e1f7f4e42821fb5c7dd8fe13c7362ee764484d07ff663b717163a2b2b56

SHA512
aca31dc4e034994f64a273f10a90411adfe2fc5ad0fc06a7fb43b7954b9a34fda63a89eb27e94f5619fd86f5d0bae1b20df04af92140b776f16ac05874136808

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe

Filesize
318KB

MD5
48e72bd70b9e40c008f13b3f0a0f76b4

SHA1
739b09050fc614b2bffd0a2d3f7d71f79b6874d2

SHA256
38125de3cbd1cc0a1d934a9468080843b5deb3770ca3561a98c0aad1cec89921

SHA512
7f962d1050198908adeb4799a1a23507f64f1b30202c6545884d4295d6df81263afcbeea16cfbc188711fc74cf311ba348407c085733934ae367b86ddebfa67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe

Filesize
320KB

MD5
0eeffd5f0bc5aa0512749d196a2bb6da

SHA1
d839051e7930fddb28c492fe2bed164a87da1eba

SHA256
133c78bd54b0457cf660f5e1a8c85a27af61b96fc2c87b963bc08376a9d0269c

SHA512
c21ce3bc02bf3f0dbd12ccc05f1c4402686ba134fbb3c9ae993d2e3b66d92c80dee002a157b0de5b5ad74d892196498e905135679ab2ea1667419b60f823f8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe

Filesize
320KB

MD5
3ea66d95106b7d42fa3c9355553ab6a3

SHA1
c65924ab7c82a058572116828cc56c1037cb6c4d

SHA256
930ba3975799c0a22da9e15bf74ebb68cf5d4cbed5837b7a8add26864bc8b949

SHA512
d0b78834c0454dc037f8af0a1a91be1866ecfc5b8135c9fce993d0275f02b36e1a8961734fd9da29629c3a5146dd0cca821a11b637e46fde6ef032778d0b03c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe

Filesize
321KB

MD5
a63badd6d843c439e100a36e74853721

SHA1
87e117e6087f26f903e3e98d043a089f5767ed3f

SHA256
fab7a83b9310bcdc624007cd23ea8ee1d85dbfc23a9b4605fe445b1e201efdcf

SHA512
3cc243a7a40b8ce9f6f42f07daec66a25520bc4bceaf4dbb863678325286d1f0ae3508300eb0308638fdc1a22dafa828ddbffcb7408dcd33b18dfaaa3c812ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe

Filesize
321KB

MD5
8f0a08cabacc4dacfef527d6e119edd0

SHA1
f893fdb3edb14603b72fe280570c42913cc3c464

SHA256
b6dcaf9b165af1ec59b4efda9383c2d723cd69bbdefdf824428ff042151e8299

SHA512
741a19a92662678f4388a7a32aaabe09f9b42c0f02e6ff8d1bda4ea0de191dcb5c3de1ab622b3e19ea3704c34ebda718219130fbc6ea6831778e9cadd982cf25

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe

Filesize
317KB

MD5
6cc764d108a52992fca8f38e600baa8d

SHA1
7e1dd8ecdb1f14173e7c03d1c507c26a972cd42b

SHA256
66ccad220278ac93fe0e14afef8a5760aeca0914df856e23bc7e68192b0729eb

SHA512
3f30bb750b02fdc122d945ec14a5b67ea56f90dad68f8bfe1469ff7f9b1f30f6034b9290dc17dfefb3b9525b9a8bc3c95aa70c14f49277ba7d5db71519fe09ce

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe

Filesize
318KB

MD5
b14b1dcc6773d2cd666a8c6fb14d4873

SHA1
bbc307bb66e732804c2bfb056e47f04c32b3cfda

SHA256
3737de5b3ea253beba60bd0f6cdeb695429b6195e097354015d792a6b30b27d5

SHA512
0ce9caea0b383fdde4b294b46bb3c3ce46b6568c832b614e06a6b8607634bc94aa0d93a5dfcb68669880f4376ebc6e963fd6f4f83930f500129327139800bb4f

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe

Filesize
318KB

MD5
2a0184bd9f791625dbab5fb91490ae11

SHA1
447a290efb2e00fb03c856ee3b565e1210e10912

SHA256
4440feac86707d442a1a47dd1a96200543eb1875c0af09df4cfd4af070608276

SHA512
4089b122016f384848854a89b7fba4f3310e00d7d811f8a1017a24e9e96ba184f231da1201883acffff09a15d836ede204be2d41415e694829051973ce844fee

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe

Filesize
319KB

MD5
f4d6925935fc8d06e76a70b4879a3daa

SHA1
0886a5dc0ade3660f8a15eef5066ee701a7f8e98

SHA256
166ef7c88c841977880b8c1c2114530c46bf2f8b71bf5c97881bd7261dfa458e

SHA512
74f71676ff40b7ed3ceb9629d650ede9b761cc111880303ff6dc1d83295e9b1b8c7769c076b913ec019cbe3c2644146edca7a1a75d29f5d396a28877d144db9c

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe

Filesize
319KB

MD5
091cbd428f989f3a1fed7e04ce99fab2

SHA1
02a7e1e75ce2c6dece86a57cc752f348904a54e0

SHA256
ad50f2b033d9e9ad92d7473767cd8f7dfbbd8d51adc5f8ef32e0fa52c83825d6

SHA512
a6fb88a1d6b1ad0470382e02bdceea723195b8a76791bd4a6db79bd2b7cb4f5bae44b786dee05bfb5e184d642ddfdc785c88cd5996d6789f8b605f1c184dace7

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe

Filesize
319KB

MD5
073925936026e9983cff570dff09bce4

SHA1
4482c5cb54af59d3921be9846c1aadf81087a3e9

SHA256
65ebca369d121fbf556a3c74ea5ef62e436287254ff974c07bbb3c0087a54723

SHA512
027b16ff67f5af3aebdd8a0ad6bb78bcae89ae391ff4fc2b01f8d5759510d0b7ace819091dbd54b931d65d68acd128cbefb25a4aad0378cca8504b530cbeed92

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe

Filesize
319KB

MD5
6826c52a25c99f7b1aabc78d37464405

SHA1
19bed672cd713164b07883b99c5e16a928ebb9a4

SHA256
dd562097112b6f51e8fcdc0569b66ab66f56cda6543388da57c960a3c5725b9c

SHA512
67729c270f7733161bedd43549749c12ab6d3dfa0e32e2234aeea63661064adb14ecf0a2d7958750f4d53d9e2247de752348c30153a8d1059333cc52cce016c8

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe

Filesize
320KB

MD5
85d72bc5cfc861dd9743fad14e2f0fbc

SHA1
89337d59667e62d6753b6837a35851092d6c706d

SHA256
fb6df2a7d5ded938570136279410d42619768b0734c0a4cc4598df9baa379e28

SHA512
b26ebc24fb8e7f944f9003ca28dd98558b194696eae9cec2846f984b44d89d3e6e4c1f54ed05f0ecfa1994178cef59eccae35c33d280db15540b6bd549f602d5

Download Submit
\??\c:\users\admin\appdata\local\temp\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe

Filesize
320KB

MD5
7033642be91dc7506b50de8cd1512d6e

SHA1
fc3d08ee90dfe0d8a9450d6dac0afa4de1d9e0f5

SHA256
b3eec485ffae53aeb955233320990577dafc0aa60cdb5ab5acd5b46b8f3ca640

SHA512
d60f63142d585919516312a131253a86abe8f256c9119ca5cf8777b318c3449a34d8a47d5f41d1c5ab048f256978442eaad14c9587344a18d24db0c6ab7a8e06

Download Submit
memory/216-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/524-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/524-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/592-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/592-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/684-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1068-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1108-247-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1920-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2116-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2116-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2520-110-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3596-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3668-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3888-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4040-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4040-149-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4152-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4260-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4708-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4708-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4808-91-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5036-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5036-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202r.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202e.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202n.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202a.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202g.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202v.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202y.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202c.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202i.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202l.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202q.exe\""	cbfc0ffdecb0fcdf8a873ec4996dcc08818aafc2391db90e2f47e802156522bf_3202p.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads