68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Size

439KB
MD5

036839678eccd8550aa0a5d128ddad90
SHA1

548c4f64da00bf6800c12bb6b0039a438fd9af51
SHA256

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60
SHA512

9a99b577ddbda33b66ab941c09722d019616174c559dc4c256aa811d380817c20e2a930763131b04abba01419a4135528812905918ae18922b2024e63c1fdaf6
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bKrvuZqMw6y:Os52hzpHq8eTi30yIQrDKrvuZq7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 25 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe

pid	process
2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
2092	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
3044	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
1480	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
404	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
2944	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
2720	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
1916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
1676	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
2772	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
2964	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe

Loads dropped DLL 50 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe

pid	process
2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
2092	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
2092	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
3044	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
3044	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
1480	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
1480	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
404	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
404	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
2944	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
2944	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
2720	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
2720	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
1916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
1916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
1676	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
1676	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
2884	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
2884	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe

Modifies registry class 54 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 6773aab6ff1d6316	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a3d8aa605fd8f2a	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
"C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:2092

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:3044

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:1480

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:404

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:2944

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:2720

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:1916

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:1676

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
25⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:2772

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
26⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:2884

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe

Filesize
439KB

MD5
48157b211119d260222fbd1997b64440

SHA1
6fda9bda31c324e65bbb0ff33e9e2e65823069d1

SHA256
5f1b5cbb97371acc1724c695d077f2175ba727dbfbbe3506d9e5d360f1946597

SHA512
a7782c9a7a80b20490c730b163ee04b523710552d45ad7a70509b8875e2de22f30d9c2a894e9b429fc9d772b4b208182c7eb0b8b74182554277cbf6383702740

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe

Filesize
440KB

MD5
8f67db00905e3b1dbf381d40c05caf9c

SHA1
ca074a5993ae1d310eb444ebc738f2fef393d0f1

SHA256
580dee19734b9c250d65539def5e857000557f6f0073e658eaf2953e02253bb1

SHA512
2bd9c76bfe2df98fb327fa8913fd49870a0f3709a9edbf8ec8227f1f06bb9faa65ebc3740a5b65bd3b3f5dcf1afb6f0d441e9a10dc243b78c067780be1d04f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe

Filesize
440KB

MD5
7c74d944b586e086bdb7b92087fcf2b2

SHA1
4d6dbbe501ebee4f52fc112db6ee2b055617cf6a

SHA256
acbbd8b59467396b56911659da0ce6fb26f68702ffc6d082e8b89e3a33487c93

SHA512
ac29a6e16fff596b8f1bce41a9c5e972e03feeef777549267318b190c6dffed2050d2e021b86286db68fe13e7ebe84dc1f2bc78bf952b97539f644e9fc0bca9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe

Filesize
440KB

MD5
659a211784ad3d3ce21c17261f021d17

SHA1
fe1270bed2e460127ec34ae487f545ad4f8e3cd5

SHA256
4f88dc2606d15cfab2b1eab1b96dc9ac873d956fe089090fdd44d90c00df6b04

SHA512
3846140daa0c5638de57ccededd459d45216dadddd07182f2d3d7376a77f2279ccde59295d52bb1dd58c47a3e78b1c0cf83a174a87af7534e49b5ea2ea1a2c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe

Filesize
440KB

MD5
854facd8bf38926bc7b7d61870b1bc09

SHA1
54ab8c0bc7e3e954e7a2ab1b964676a72be2685b

SHA256
71757082c6f1d608af287058ca49f8519d9ae7b2fe4f780b3d7fe45219c9f9ef

SHA512
78db0f7ccec3a614127f41af3dd482ad2659c33b79f622a67a81c343d1c12fb5d2759e3e496f883fa362dad7e11dcffb732591dbecccae45cc407664c0855bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe

Filesize
440KB

MD5
a6ef55d593fb9f104b31d4c8827178f4

SHA1
ef3e7a62d89183c7b04cba2eb8a8fe96e49d8ee2

SHA256
24135899f5815cca5f094b4d3321bf930fb7ef2e073b91571e5258f3bf4d8ec3

SHA512
b473879bca339c5db31c75ac000899b9339bc2d813de19a2615b5b9a0797395ef7bcc03896c38aaae68e57db923e7606295742b8c72481baca840f4dce55b9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe

Filesize
441KB

MD5
e8bfd6659226acc184e8bd76fae18ab0

SHA1
93fdd235121685c6f9205084506badae0de45b38

SHA256
528b4c268293266e92b0e76ebe0f1da44de41d647f9f99f4392f308be6a4f11f

SHA512
4fe5b497b0d06d75972d39b98918a13f84bff5e7ac65c57dacf68e534ba45e0b6adcd7138cb51cf1baaa826bb3b8fa68e5eb705b2c26c54824b9919751bc8cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe

Filesize
441KB

MD5
bc1a3991898263a14d2ce22b348e3216

SHA1
cd730a86e98238374bcc45d38d3a69dcd8b4c0d4

SHA256
64bfe50bda6ed1616f76eb33e473559575c89b94c941a53f667de7cd0a1bcea2

SHA512
0132aef06be0a046e8bbe757a482ea90c5829a36241548bc6b96b7693c368796057547ac6c01280cf08f885a99d019d47c946164e47c1af4d6baeed77728d171

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe

Filesize
441KB

MD5
210ca6f22257cb400b7b5a34e2469d36

SHA1
240f8c6f384e493d8ff4c1c9ed9bf05c2600b377

SHA256
92a29be9d756884b857ba95f64183de1ecaf7a903a0039b9175343fcd1bdf9cc

SHA512
387810555e487e59f5dab77a6c8631b0ad1d4871c231c77e78a50beb36afdcabb31db389a78b44d88f7bbf419775c0e0c41f061eb21712c84a909a784439d8a2

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe

Filesize
441KB

MD5
375655b75570b9099ae38f6164ed2a38

SHA1
74355391d4d195274154b1d28ac274673be5d067

SHA256
7f8bb88e658f91beaece784fbb54ae5703fc4ba3d1868f63ca4e0ce49bf03cc3

SHA512
4ccc3ac15df91269afb13acdf7677aaad11fde2f5b06e8896049fc373eff53f5ad272722050af60b85eb44d03f775461eec8599a2c21cc25fc04db431870a23f

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe

Filesize
442KB

MD5
2b25f9ae5cb6da4b8d45dc7655ca85c4

SHA1
b47efdc8bea38880dd4fb4b7db3dfab4474edf68

SHA256
6553c294474987f8bb5842fcbdb3a769ee0a6b9513f0f0601c32fcd54a18e1f4

SHA512
d07327597913652cb2232dcf06c01011903faf6a771b83b4ba5f253b8b7651ffe39e9a224270bac119f1d57621d1ed3b71bc8a212a5f11c301da8a4d616da534

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe

Filesize
442KB

MD5
ea9e02686f3c939fb3a596adfd272c47

SHA1
a239be20ad2b9338c665f9d824fbc33704919cce

SHA256
156a512d2f7b00b696f58d3f315c8f553d1eeb7f57d95f66610bb5ad0ab7728c

SHA512
d2a6e50b4ea0165c77f08eef4318f61d5df366216b558b3c14bb487a1722b214c4332cd1ec55f94d6079ea727c34e4c2b072ea97314a427d230f9bf5429a9c8e

Download Submit
\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe

Filesize
439KB

MD5
e849c58af5856d09891130117e7aef60

SHA1
74bf91145ce352ed636381d884587015a6bef8a1

SHA256
7fdf564fd530e3dd76bc54e662edac3139d09648eed58e6e3ad47b712e17c302

SHA512
e99bc94da57883484a666b0db96c9cb462b2239b425103f52e79cc660084845a4465746d5a95ecce5bd0764f8055419efe3e98e27d779d6cb7f858860c977133

Download Submit
\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe

Filesize
439KB

MD5
b081796c88ee7e30f0a2b56bb6ae2095

SHA1
41bd77a5236e5cb4cee34eb756bbff940466c816

SHA256
04969d9f6ae6dba35cc25aa6f197d9b471dc5b47502c2eff9c20326d6da3e8ca

SHA512
d07d56140266d3b69a1565efa006bb770b62deb21528151d9dcef548e66a40d116da7e4604b1855062c700319114a5d3c8912637aa69c978dc9304b640e3f074

Download Submit
\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe

Filesize
442KB

MD5
5acd013f33e026e301c48026fde4f6e2

SHA1
2242e1573ac26bb7abbb9011b29100489b76108d

SHA256
d6d88c7b758b855983ea6eee60d8e8dd7cfd54582b8efe8de868c16296e8f9da

SHA512
ec8a3f7fba7964a15baa1698262b1a2a81abc84f1255a663954c51f475ef460bdbdc392529c05a1a6f2e94b483ccfd29cde008652b2c61efd70d16b03ffd7d0d

Download Submit
\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe

Filesize
442KB

MD5
958a7d46af2c7374374476fbfe10dd77

SHA1
556481e658d9c2eb085305345075a696b0cf1117

SHA256
16357c105ab1b314db83b74a7195254baf91acc672c5463e35851fea0c8af87e

SHA512
a1d45979690bdbc7deca247bb75ac67f448c2855aaa866997c81fa2822e3624eb1a2c4bd8de61540f9a91e3a72fc5e92530f86609687d4b9621cbc91590c528a

Download Submit
memory/404-292-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/404-303-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/784-142-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/792-236-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1056-204-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1480-291-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1480-280-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-111-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1676-340-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1676-351-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1916-339-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1916-328-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2092-266-0x00000000027A0000-0x0000000002819000-memory.dmp

Filesize
484KB

Download
memory/2092-253-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2092-264-0x00000000027A0000-0x0000000002819000-memory.dmp

Filesize
484KB

Download
memory/2092-267-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2208-173-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-158-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-143-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-8-0x0000000001DF0000-0x0000000001E69000-memory.dmp

Filesize
484KB

Download
memory/2340-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2340-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2492-221-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2492-205-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2624-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2624-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2664-48-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2664-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2668-214-0x0000000000510000-0x0000000000589000-memory.dmp

Filesize
484KB

Download
memory/2668-126-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2668-112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2720-327-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2720-316-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2764-237-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2764-252-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2772-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2772-356-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2772-355-0x0000000076E90000-0x0000000076F8A000-memory.dmp

Filesize
1000KB

Download
memory/2772-354-0x0000000076D70000-0x0000000076E8F000-memory.dmp

Filesize
1.1MB

Download
memory/2804-81-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2804-94-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2856-188-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2856-174-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2884-368-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2884-357-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2916-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2916-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2944-315-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2944-304-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-370-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2964-369-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3044-278-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/3044-279-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe

description	pid	process	target process
PID 2340 wrote to memory of 2916	2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 2340 wrote to memory of 2916	2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 2340 wrote to memory of 2916	2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 2340 wrote to memory of 2916	2340	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 2916 wrote to memory of 2744	2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 2916 wrote to memory of 2744	2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 2916 wrote to memory of 2744	2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 2916 wrote to memory of 2744	2916	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 2744 wrote to memory of 2664	2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 2744 wrote to memory of 2664	2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 2744 wrote to memory of 2664	2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 2744 wrote to memory of 2664	2744	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 2664 wrote to memory of 2624	2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 2664 wrote to memory of 2624	2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 2664 wrote to memory of 2624	2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 2664 wrote to memory of 2624	2664	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 2624 wrote to memory of 2804	2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 2624 wrote to memory of 2804	2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 2624 wrote to memory of 2804	2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 2624 wrote to memory of 2804	2624	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 2804 wrote to memory of 1524	2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 2804 wrote to memory of 1524	2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 2804 wrote to memory of 1524	2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 2804 wrote to memory of 1524	2804	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 1524 wrote to memory of 2668	1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 1524 wrote to memory of 2668	1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 1524 wrote to memory of 2668	1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 1524 wrote to memory of 2668	1524	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 2668 wrote to memory of 784	2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 2668 wrote to memory of 784	2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 2668 wrote to memory of 784	2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 2668 wrote to memory of 784	2668	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 784 wrote to memory of 2308	784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 784 wrote to memory of 2308	784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 784 wrote to memory of 2308	784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 784 wrote to memory of 2308	784	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 2308 wrote to memory of 2208	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 2308 wrote to memory of 2208	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 2308 wrote to memory of 2208	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 2308 wrote to memory of 2208	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 2208 wrote to memory of 2856	2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 2208 wrote to memory of 2856	2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 2208 wrote to memory of 2856	2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 2208 wrote to memory of 2856	2208	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 2856 wrote to memory of 1056	2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 2856 wrote to memory of 1056	2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 2856 wrote to memory of 1056	2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 2856 wrote to memory of 1056	2856	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 1056 wrote to memory of 2492	1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 1056 wrote to memory of 2492	1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 1056 wrote to memory of 2492	1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 1056 wrote to memory of 2492	1056	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 2492 wrote to memory of 792	2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 2492 wrote to memory of 792	2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 2492 wrote to memory of 792	2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 2492 wrote to memory of 792	2492	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 792 wrote to memory of 2764	792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 792 wrote to memory of 2764	792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 792 wrote to memory of 2764	792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 792 wrote to memory of 2764	792	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 2764 wrote to memory of 2092	2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 2764 wrote to memory of 2092	2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 2764 wrote to memory of 2092	2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 2764 wrote to memory of 2092	2764	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe